I'm trying to get Apache to do Client certificate verification with OCSP-validation. It works without OCSP, but OCSP-validation fails when I turn it on. The error is "OCSP_check_validity:status too old", but that doesn't make sense because the clocks are within 2 seconds. I have verified that if I use openssl directly from command line it will verify OK. >openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile >/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text >-url http://ocsp.trust.telia.com<http://ocsp.trust.telia.com/> . . . . Response verify OK /mnt/download/uwcert.cer: good This Update: Jul 29 10:43:41 2010 GMT Next Update: Jul 30 10:43:45 2010 GMT //// Where du I start looking?? /ulfW
** my config ************************************************************************************************************************************* [r...@fedoragui logs]# httpd -v Server version: Apache/2.3.6 (Unix) Server built: Jul 16 2010 15:31:39 [r...@fedoragui logs]# openssl version OpenSSL 1.0.0a-fips 1 Jun 2010 ./configure --enable-ssl http-ssl.conf: SSLCACertificateFile "/usr/local/apache2/conf/SITHS_CA_v3.cer SSLCARevocationFile "/usr/local/apache2/conf/crl/SITHS_CA_ver_3.crl" SSLVerifyClient require SSLVerifyDepth 3 SSLOCSPEnable on SSLOCSPDefaultResponder http://ocsp.trust.telia.com<http://ocsp.trust.telia.com/> #SSLOCSPOverrideResponder on ** error_log ************************************************************************************************************************************* [Fri Jul 30 13:36:02.080681 2010] [info] [pid 2826:tid 3061840752] [client 10.0.2.2:1440] Connection to child 0 established (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:02.089466 2010] [debug] [pid 2826:tid 3061840752] ssl_engine_io.c(1175): [client 10.0.2.2:1440] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Fri Jul 30 13:36:02.090049 2010] [info] [pid 2826:tid 3061840752] [client 10.0.2.2:1440] Connection closed to child 0 with abortive shutdown (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:04.549495 2010] [info] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] Connection to child 128 established (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.230878 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(79): [client 10.0.2.2:1441] connecting to OCSP responder 'ocsp.trust.telia.com' [Fri Jul 30 13:36:05.235845 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(105): [client 10.0.2.2:1441] sending request to OCSP responder [Fri Jul 30 13:36:05.257605 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Date: Fri, 30 Jul 2010 13:36:04 GMT [Fri Jul 30 13:36:05.257920 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Server: Apache [Fri Jul 30 13:36:05.258515 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Content-Length: 1264 [Fri Jul 30 13:36:05.258767 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Connection: close [Fri Jul 30 13:36:05.259001 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Content-Type: application/ocsp-response [Fri Jul 30 13:36:05.259743 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(252): [client 10.0.2.2:1441] OCSP response: got 1264 bytes, 1264 total [Fri Jul 30 13:36:05.275967 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(235): [client 10.0.2.2:1441] OCSP response: got EOF [Fri Jul 30 13:36:05.278741 2010] [error] [pid 2833:tid 3061840752] SSL Library Error: error:2707307F:OCSP routines:OCSP_check_validity:status too old [Fri Jul 30 13:36:05.279711 2010] [error] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] Certificate Verification: Error (50): application verification failure [Fri Jul 30 13:36:05.282013 2010] [info] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] SSL library error 1 in handshake (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.282958 2010] [info] [pid 2833:tid 3061840752] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [Fri Jul 30 13:36:05.285938 2010] [info] [pid 2911:tid 3040861040] [client 10.0.2.2:1444] Connection to child 194 established (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.289429 2010] [info] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] Connection closed to child 128 with abortive shutdown (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.296438 2010] [info] [pid 2911:tid 3040861040] [client 10.0.2.2:1444] SSL library error 1 in handshake (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.300686 2010] [info] [pid 2911:tid 3051350896] [client 10.0.2.2:1445] Connection to child 193 established (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.301800 2010] [debug] [pid 2911:tid 3051350896] ssl_engine_io.c(1175): [client 10.0.2.2:1445] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Fri Jul 30 13:36:05.302646 2010] [info] [pid 2911:tid 3051350896] [client 10.0.2.2:1445] Connection closed to child 193 with abortive shutdown (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.308392 2010] [info] [pid 2911:tid 3040861040] SSL Library Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate -- No CAs known to server for verification? [Fri Jul 30 13:36:05.308711 2010] [info] [pid 2911:tid 3040861040] [client 10.0.2.2:1444] Connection closed to child 194 with abortive shutdown (server fedoragui.mydomain.com:443) /ulfW ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
