Massimiliano Pala wrote: > The CISCO implementation of OCSP is quite picky about the OCSP > responses, anyway it seems > something it is not working properly as the contents of the extension > should be copied > and added to the response. > > Could you please send me the CRL and the CA cert for testing your problem ?
I have had a deeper look at the CRL. It seems that my CRL contains the extension "Reason Code" but not the extension "Invalidity Date". See 5.3.3 of RFC 3280 (ftp://ftp.rfc-editor.org/in-notes/rfc3280.txt) If I read ocsp_response.c correctly, line 148 attempts to set the invalidity date in the OCSP response just because there are extensions in the CRL. It is not looking specifically for the extension "Invalidity Date" in the CRL: ------------------------------------------------------------ /* Check and add the invalidity date */ if ( entry->extensions ) OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, X509_REVOKED_get_ext_d2i( entry, NID_invalidity_date, NULL, NULL ), 0, 0); ------------------------------------------------------------ As a result, OCSP returns a field for "Invalidity Date" but with an empty content. Cisco IOS considers this response as invalid, and here I am (the OpenSSL OCSP client does not seem to care). As I do not really need to support invalidity dates anyway, I was thinking of getting rid of this portion of the code altogether (lines 148 through 152). BTW, it is too bad that the status that OCSPd returns (REVOKED, unknown or VALID) is only reachable through DEBUG. I definitely have an interest in a configuration flags that would enable logging of REVOKED and/or VALID and/or unknown responses. Cheers Guillaume ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
