Hello, I am having issues using OCSP stapling with a letsencrypt certificate, which are common things nowadays.
I have loaded the proof with the following openssl command: openssl ocsp -respout ocsp.der -no_nonce -issuer chain.pem -cert cert.pem -url http://ocsp.int-x3.letsencrypt.org -header "HOST" "ocsp.int-x3.letsencrypt.org" -verify_other chain.pem -rother chain.pem As you can see, I have to use "-verify_other chain.pem" to be able to get a positive verification for OCSP. The problem I have now is that exim is unable to verify the signature. I have added chain.pem in the tls_verify_certificates parameter (you need to do the same in nginx for stapling to work). But it seems exim is not using the tls_verify_certificates parameter to validate the OCSP signature. in tls-openssl.c, OCSP_basic_verify is called (twice) with the second parameter being a NULL. i = OCSP_basic_verify(basic_response, NULL, store, verify_flags); In openssl source, you can see that the call should be something like: OCSP_basic_verify(bs, verify_other, store, verify_flags); So the NULL should probably be tls_verify_certificates for OCSP stapling to work. Best Regards
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
