Guillaume:
The problem with IOS using the OpenCA OCSPd server is probably due
to a bug that's fixed in the interim IOS image 12.4(1.4). The
generally available image with this fix would be 12.4(2) . The
Cisco bug id is CSCge44783, and was caused by IOS expecting 3 HTTP
headers in the OCSP query while OpenCA only issued 2 Headers... I
tweaked my versionof OCSPd to add a 3rd http header.
Let me know if this doesn't work or if you don't already have a
solution.
-Devon
On Jul 21, 2005, at 8:09 PM, openca-users-
[EMAIL PROTECTED] wrote:
Date: Thu, 21 Jul 2005 11:34:37 -0500
From: Guillaume Tamboise <[EMAIL PROTECTED]>
To: [email protected]
Subject: [Openca-Users] ocspd & Cisco IOS
Reply-To: [email protected]
Hello,
I am trying to configure ocsp to serve revocations for certificates
used by Cisco routers.
The certificates are typically installed in the router using
configuration derived from
http://www.cisco.com/univercd/cc/td/doc/product/software/
ios123/123newft/123t/123t_2/gt_ocsp.htm
and
http://www.cisco.com/univercd/cc/td/doc/product/software/
ios121/121sup/121csum1/121cssec/ssdinter.htm#1018150
crypto pki trustpoint mytrustpoint
enrollment retry period 5
enrollment mode ra
enrollment url http://host.domain/path_to_cgi
usage ike
revocation-check ocsp
ocsp url http://1.2.3.4:1234
If I do not perform any revocation check, the IPSec tunnel comes up.
As soon as I perform revocation checks, it no longer does.
If I extract the certificates from the router NVRAM,
copy them to a file and test them using OpenSSL,
here is what I get:
$ openssl x509 -inform DER -outform PEM -in ./cert1.cer -out ./
cert1.pem
$ openssl ocsp -url http://1.2.3.4:1234 -VAfile ./ocspd_cert.pem \
-CAfile ./testca.crt -issuer ./testca.crt -cert ./cert1.pem
Response verify OK
./cert1.pem: good
This Update: Jul 20 22:18:22 2005 GMT
Next Update: Jul 21 14:26:40 2005 GMT
$ openssl x509 -inform DER -outform PEM -in ./cert2.cer -out ./
cert2.pem
$ openssl ocsp -url http://1.2.3.4:1234 -VAfile ./ocspd_cert.pem \
-CAfile ./testca.crt -issuer ./testca.crt -cert ./cert2.pem
Response verify OK
./cert2.pem: good
This Update: Jul 20 22:18:22 2005 GMT
Next Update: Jul 21 14:28:12 2005 GMT
If I revoke one of the certificates in the CA and get it to publish
the
CRL to the LDAP server, here is what I get:
$ openssl ocsp -url http://1.2.3.4:1234 -VAfile ./ocspd_cert.pem \
-CAfile ./testca.crt -issuer ./testca.crt -cert ./cert1.pem
Response verify OK
./cert1.pem: revoked
This Update: Jul 21 14:43:12 2005 GMT
Next Update: Jul 21 14:57:12 2005 GMT
Reason: keyCompromise
Revocation Time: Jul 21 14:43:10 2005 GMT
So... My certificates look good, OpenSSL as an OCSP client seems
happy,
but not the Cisco IOS... Anybody with experience on that matter?
Thanks
--
Guillaume Tamboise
"First they ignore you, then they laugh at you, then they fight you,
then you win." -- Gandhi
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
