Hi Luis: See reply inline:
On July 16, 2010 11:05:46 am Luis Neves wrote: <snip> > > besides this, why I have to force httpd.conf with a SSLOCSPDefaultResponder > directive? Shouldnt the mod_ssl code discover automatically the responder > address from the client certificate itself?? > From your other mail: openssl x509 -in /home/oracle/lneves.pem -noout -text <snip a bunch of certificate contents stuff> > 2.5.29.46: > 0h0f.d.b.`http://pki.cartaodecidadao.pt/publico/lrc/cc_sub- >ec_cidadao_autenticacao_crl0003_delta_p0005.crl > Authority Information Access: > OCSP - URI:http://ocsp.auc.cartaodecidadao.pt/publico/ocsp The part that catches my eye is the incorrect decoding for authorityInfoAccess. First of all, 2.5.29.46 is NOT AIA, but according to: http://www.alvestrand.no/objectid/2.5.29.46.html It is "Freshest CRL". This is NOT the OID for AIA, thus the application should NOT be able to find the OCSP information. Fix the CA that generated this certificate to generate correct PKIX RFC5280 certificates, and at least part of your problem should go away. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
