Tue 02 Aug 2005 à 10:28:29AM -0700, Devon Heron a écrit : > The problem with IOS using the OpenCA OCSPd server is probably due > to a bug that's fixed in the interim IOS image 12.4(1.4). The > generally available image with this fix would be 12.4(2) . The > Cisco bug id is CSCge44783, and was caused by IOS expecting 3 HTTP > headers in the OCSP query while OpenCA only issued 2 Headers... I > tweaked my versionof OCSPd to add a 3rd http header. > > Let me know if this doesn't work or if you don't already have a > solution.
We got it to work eventually (Cisco 12.4(3) with OpenCA), adding a 3rd http header as you suggested just in case some of our routers would be running a different IOS and would have the bug you are referring to. The IPSec tunnel comes up if the router certificate is valid, and does not come up if the router certificate has been revoked: perfect. The root cause of our problem was the certificate that our Entrust CA was creating for the OCSP server. I am sure that it is documented elsewhere, but there seems to be two and only two "custom" OIDs needed in the OCSP server certificate: - 1.3.6.1.5.5.7.48.1.5 to specify OCSP NoCheck - 1.3.6.1.5.5.7.3.9 for an Extended Key Usage of OCSPSigning (cf. http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.9.html) The "good" way to check if an OCSP server certificate in a file ocspd_cert.pem has everything it needs seems to be: # openssl x509 -in ocspd_cert.pem -noout -text [...] X509v3 extensions: [...] OCSP No Check: X509v3 Extended Key Usage: OCSP Signing [...] Another hint is that the OCSP server with a "valid" OCSP server certificates works with Firefox, even when hard-coding the OCSP URL (Tools, Options, Advanced, OCSP: Use OCSP to validate all certificates using this URL and signer). If the OCSP server does not know about the CA that signed the certificate for the site that Firefox is browsing, the error message is "Error trying to validate certificate from X using OCSP - unknown certificate", and not some vague error code. Thank you all for your help -- Guillaume Tamboise "First they ignore you, then they laugh at you, then they fight you, then you win." -- Gandhi ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
