MODSSL: RFC 2560

Tue, 14 Jan 2014 11:04:57 -0800 

According to RFC 2560:

All definitive response messages SHALL be digitally signed. The key
   used to sign the response MUST belong to one of the following:

   -- the CA who issued the certificate in question
   -- a Trusted Responder whose public key is trusted by the requester
   -- a CA Designated Responder (Authorized Responder) who holds a
      specially marked certificate issued directly by the CA, indicating
      that the responder may issue OCSP responses for that CA

I am wondering if anyone here could point me in the right direction or
even assist with a problem I have having.  I have Root CA1(RCA1), and
Root Ca2(RCA2). also, I have Intermediate Authority 1(IA1) and
Intermediate Authority 2 (IA2). I have an OCSP signing certificate
issued from IA1 (ocsp1).

I have apache 2.4 configured with trust for rca1, rca2, ia1, ia2 and I
am able to use client authentication to login with either client cert
1(cc1), or Clicnet Cert 2(cc2).


However, when I enable OCSP it acta differently:

SSLVerifyClient on
SSLVerifyDepth  4
SSLOCSPEnable on
SSLOCSPDefaultResponder http://rsp.domain.com:80/
SSLOCSPOverrideResponder on


I am able to successfully validate cc1 and any other client
certificates issued from ia1.  However, when I try to use cc2, I get
the following error:

SSL Library Error: error:27069070:OCSP routines:OCSP_basic_verify:root
ca not trusted

Looking at a post in the past:
http://openssl.6102.n7.nabble.com/OCSP-basic-verify-root-ca-not-trusted-td24451.html

it seems that the RFC should allow me to explicitly declare a trusted
responder certificate for the client machine (in this case the client
is the httpd 2.4 server).

I would like to know:

who currently supports mod_ssl?

Does mod_ssl currently support this feature?

if not, would anyone be willing to teach me how to modify mod_ssl to
support something like: 'SSLOCSPTrusted_responder
/etc/pki/tls/certs/trustedresponder.pem'

Other applications like openssl and corestreet desktop validation
client allow you to explicitly configure a trusted responder cert.

eg: openssl ocsp -CAfile rca2-issuer ia2 -cert cc2 -VAfile ocsp1 -url
http://rsp.domain.com:80

cc2: good
        This Update: Jan 14 10:02:14 2014 GMT
        Next Update: Feb 14 10:02:14 2014 GMT

Reply via email to