What I am saying is that one falls into the delegated trust model, and one does not, but I should be able to validate either because RFC 2560 allows for "a Trusted Responder whose public key is trusted by the requester". I am asking if mod_ssl in apache 2.4.x is RFC compliant. it seems to me openssl supports this explicitly via the -VAflag, but mod_ssl doesn't.
*Trustpoint 1:* [root@va][/usr/local/apache2/conf] openssl verify -CAfile rca1 cc1 cc1: OK [root@va][/usr/local/apache2/conf] openssl ocsp -CAfile rca1 -issuer rca1 -cert cc1 -no_nonce -url http://localhost:3503 Response verify OK cc1: good This Update: Jan 10 21:16:11 2014 GMT Next Update: Jan 18 09:36:11 2014 GMT *Trust Point 2:* [root@va][/usr/local/apache2/conf] openssl verify -CAfile rca2 ia2 ia2: OK [root@va][/usr/local/apache2/conf] openssl verify -CAfile rca2 cc2 cc2: OK [root@va][/usr/local/apache2/conf] openssl ocsp -CAfile rca2 -issuer ia2 -cert cc2 -no_nonce -url http://localhost:3503 Response Verify Failure 140278240200520:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate cc2: good This Update: Jan 14 10:02:14 2014 GMT Next Update: Feb 14 10:02:14 2014 GMT *But if i explicitly declare the trusted VA:*I get no errors. [root@va][/usr/local/apache2/conf] openssl ocsp -CAfile rca2 -issuer ia2 -cert cc2 -no_nonce *-VAfile ocsp1* -url http://localhost:3503 Response verify OK cc2: good This Update: Jan 14 10:02:14 2014 GMT Next Update: Feb 14 10:02:14 2014 GMT -- View this message in context: http://openssl.6102.n7.nabble.com/MODSSL-RFC-2560-tp48136p48141.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org