Hi Joachim, there should be an option in etc/ocspd/ocspd.xml file. In particular search for the digestAlgorithm option. Is that sha1 ? If that is the case and you needed to change the code in libpki, than there's an error there that I need to fix.
Just to summarize: you are using a RSA+SHA256 as the OCSP responder's certificate ? If that is the case, the hash algorithm used for signatures (not the OCSP hashing algorithm) when signing the response is taken from the server's certificate - that might be the cause for the sha256. I don't understand why the CISCO router would not be able to validate that! SHA1 is not supposed to be used for signatures anymore!!! For the certificate, I am not sure what the issue might be. I guess that you already checked the validity period of the certificate. Another thing you might try to check is you forgot the OCSPSigning option in the extendedKeyUsage. Cheers, Max On 06/15/2011 04:19 AM, Joachim Astel wrote: > Hi Massimiliano, > > unfortunately that isn't the case. With OCSP-1 sha256 worked fine > for the rootCA and cisco-certs so far, only OCSP-2 makes trouble. > So I'm just trying to track down why it doesn't work with the new > daemon anymore. > > As I wrote yesterday, i commented out "SHA256" as a switch-case: > in libpki-0.6.5/src/openssl/pki_algor.c, so my reponses were > created with SHA1 to make adequate output as OCSP-1 did for the > answer certificates in a first step. > > My first question is: is there a well defined way to configure this by > .xml configurations instead of patching the source code to make > SHA1 ocsp answers instead of SHA256 ones (like it is default now)? > > As a result, using SHA1 instead of SHA256 in my answer strings, > the "message digest algorithms not supported" error on the Cisco > router has gone away now. > > But now i'm in the next level of the adventure. The Cisco router > still shows another error after that: > > Jun 15 07:00:31.266: CRYPTO_PKI: OCSP response status - successful. > Jun 15 07:00:31.274: CRYPTO_PKI: Validating OCSP responder certificate > Jun 15 07:00:31.278: CRYPTO_PKI: OCSP Responder cert doesn't need rev check > Jun 15 07:00:31.278: CRYPTO_PKI: response signed by a delegated responder > Jun 15 07:00:31.278: CRYPTO_PKI: Certificate not validated > Jun 15 07:00:31.278: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from > 10.1.2.3 is bad: certificate invalid > > My second question: do you know what "Certificate not validated" says to me? > Do I use the wrong signing CA or something like that? > > Greetings > Achim > -- http://member.acm.org/~openca/ Massimiliano Pala, Ph.D. Director, OpenCA Labs Professor, NYU Poly ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
