Hello, I am running OpenCA OCSPD v1.1.0a to validate certificates used by Cisco routers.
My IOS trustpoint configuration is revocation-check ocsp none (i.e. try to validate the certificate against OCSP, and if the OCSP service is unavailable then accept the certificate) The problem I am having is that with this specific configuration, my certificate is accepted even when it has been revoked. Cisco IOS seems to react that way because the OCSP response coming from OpenCA OCSP would contain an invalid field. In that case, the "ocsp" response is disregarded and the "none" revocation check method would be triggered... Incriminated response: 169:d=4 hl=2 l= 15 prim: GENERALIZEDTIME :20060404200908Z 186:d=4 hl=2 l= 3 cons: cont [ 0 ] 188:d=5 hl=2 l= 1 prim: ENUMERATED :05 191:d=3 hl=2 l= 15 prim: GENERALIZEDTIME :20060407092614Z 208:d=3 hl=2 l= 17 cons: cont [ 0 ] 210:d=4 hl=2 l= 15 prim: GENERALIZEDTIME :20060407145418Z 227:d=3 hl=2 l= 11 cons: cont [ 1 ] 229:d=4 hl=2 l= 9 cons: SEQUENCE 231:d=5 hl=2 l= 7 cons: SEQUENCE 233:d=6 hl=2 l= 3 prim: OBJECT :Invalidity Date 238:d=6 hl=2 l= 0 prim: OCTET STRING 240:d=1 hl=2 l= 35 cons: cont [ 1 ] 242:d=2 hl=2 l= 33 cons: SEQUENCE 244:d=3 hl=2 l= 31 cons: SEQUENCE 246:d=4 hl=2 l= 9 prim: OBJECT :OCSP Nonce 257:d=4 hl=2 l= 18 prim: OCTET STRING The Invalidity Date extension is a string of length zero, instead of being an actual timestamp. Here is my ocspd.conf: [ ocspd ] default_ocspd = OCSPD_default # The default ocspd section [ OCSPD_default ] dir = /usr/local/etc/ocspd # Where everything is kept db = $dir/index.txt # database index file. md = sha1 ca_certificate = $dir/certs/cacert.pem # The CA certificate ocspd_certificate = $dir/certs/ocspd_cert.pem # The OCSP server cert ocspd_key = $dir/private/ocspd_key.pem # The OCSP server key pidfile = $dir/ocspd.pid # Main process pid user = ocspd group = ocspd bind = * port = 1234 max_childs_num = 5 max_req_size = 819200 crl_auto_reload = 7200 crl_check_validity = 0 crl_reload_expired = yes response = ocsp_response dbms = dbms_ldap engine = off [ ocsp_response ] dir = /usr/local/etc/ocspd ocsp_add_response_certs = $dir/certs/ocspd_cert.pem ocsp_add_response_keyid = yes next_update_days = 0 next_update_mins = 5 [ dbms_ldap ] 0.ca = @ldap_ca_1 [ ldap_ca_1 ] crl_url=ldap://a.b.c.d crl_entry_dn = "cn=mycn,ou=role,o=slb,c=AN" crl_entry_attribute = "certificateRevocationList;binary" ca_url = file:////usr/local/etc/ocspd/certs/1st_cacert.pem On the other hand, OpenSSL is perfectly happy with the answer that OCSPd provides. $ penssl ocsp -issuer ./cacert.pem -CAfile ./cacert.pem -url http://a.b.c.d:1234 -text -serial nnnnnnnn [...] Response verify OK nnnnnnnn: revoked This Update: Apr 7 09:26:14 2006 GMT Next Update: Apr 7 19:08:03 2006 GMT Reason: cessationOfOperation Revocation Time: Apr 4 20:09:08 2006 GMT Ideas? Thanks Guillaume Tamboise ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
