Hi,
We are having CA/Sub-CA structure:
Root CA
|
+- Servers CA
|
+- OCSP Signing Certificate
+- sth.domain.comOCSPD configuration file is attached. cacert.pem and chain_certs.pem contain Servers CA.
When Mozilla Firefox 1.0RC1 tries to validate host certificate via OCSP, the following error occurs:
Error establishing an encrypted connection to sth.domain.com. Error Code: -8052.
In http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html , this error is explained as:
SEC_ERROR_EXTRA_INPUT -8052 "DER-encoded message contained extra usused data."
Is there some implementation limit (either in OpenCA OCSPD or Mozilla) of OCSP response size? Root CA, Servers CA, and OCSP Signing keys are RSA-4096. I don't know if it's related, but when openssl ocsp -text command is used, the maximum amount of output was 16384 (0x4000) and was obviously truncated. After saying that cert is valid, openssl ocsp raises SEGV (Debian openssl 0.9.7d-5). Fedora Core 2 openssl-0.9.7a-35 doesn't raise SEGV, and says cert is valid too.
When we tried with OCSP Signing key of length 1024 bits, the output looks not truncated but the same behaviour still occurs in Mozilla, Debian's openssl and Fedora's openssl.
Does anyone have idea how this problem to be solved?
When we openssl ocsp as responder, Mozilla works as expected (no errors and cert is validated), but openssl ocsp client in Debian still crashes with SEGV.
I'm not complaining about openssl -- i mention its behaviour only for giving you more information.
Regards, ogi
# OCSPd example configuration file. # (c) 2001 by Massimiliano Pala - OpenCA Project. # All rights reserved
[ ocspd ]
default_ocspd = OCSPD_default # The default ocspd section
####################################################################
[ OCSPD_default ]
dir = /usr/local/etc/ocspd/servers-ca # [] Where everything is kept
db = $dir/index.txt # database index file.
md = sha1
ca_certificate = $dir/certs/cacert.pem # () The CA certificate
ocspd_certificate = $dir/certs/ocspd_cert.pem # The OCSP server cert
ocspd_key = $dir/private/ocspd_key.pem # The OCSP server key
pidfile = $dir/ocspd.pid # Main process pid
user = ocspd
group = daemon
bind = *
port = 2561 # []
max_req_size = 32768
max_childs_num = 2
clients_per_server = 100
crl_auto_reload = 3600
crl_check_validity = 600
crl_reload_expired = yes
response = ocsp_response # Default OCSP response section
#dbms = dbms_ldap # Example using the LDAP for CRL
# retrivial
dbms = dbms_file # Example using file for CRL
####################################################################
[ ocsp_response ]
dir = /usr/local/etc/ocspd/servers-ca # []
ocsp_add_response_certs = $dir/certs/chain_certs.pem # ()
ocsp_add_response_keyid = no
next_update_days = 0
next_update_mins = 0
####################################################################
# Not our case
[ dbms_ldap ]
0.ca = @ldap_ca_1
[ ldap_ca_1 ]
# You can have the CRL on a simple file
# crl_url = file:///usr/local/etc/ocspd/crl.pem
# You can store the CRL into an LDAP server, simply
# store it in certificateRevocationList;binary attribute
#
# There are different way, all legal, to specify the CRL
# URL address:
# crl_url = ldap://user:[EMAIL PROTECTED]:389
# crl_url = ldap://ldap.server.org:389
crl_url = ldap://localhost
# The CRL entry DN is the DN to look for when retrieving the
# date from the LDAP server. Put here the complete DN (usually
# the DN of the CA's certificate).
crl_entry_dn = "[EMAIL PROTECTED], cn=Certification Auth, o=Organization, c=IT"
####################################################################
[ dbms_file ]
0.ca = @servers_ca
[ servers_ca ] # []
crl_url = file:///usr/local/etc/ocspd/servers-ca/crl.pem # []
ca_url = file:///usr/local/etc/ocspd/servers-ca/certs/cacert.pem # []
