Hello, All!
For certificates generated by "Let's Encrypt Authority X3"
for getting ocsp response from letsencrypt I need to use such command:
# openssl ocsp -verify_other chain.pem \
-issuer chain.pem \
-cert cert.pem \
-text \
-url http://ocsp.int-x3.letsencrypt.org \
-header "Host" "ocsp.int-x3.letsencrypt.org"
===========================
If I remove '-header "Host" "ocsp.int-x3.letsencrypt.org"'
from command line I got error:
Error querying OCSP responder
140274026829712:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server
response error:ocsp_ht.c:314:Code=400,Reason=Bad Request
openssl ocsp utility does not send 'Host' header by default?
But why? Looks like this is bug.
===========================
If I remove '-verify_other chain.pem' from command line I got error:
Response Verify Failure
140272439146384:error:27069076:OCSP routines:OCSP_basic_verify:signer
certificate not found:ocsp_vfy.c:92:
'man ocsp' tell what
-verify_other file
file containing additional certificates to search
when attempting to locate the OCSP response signing
certificate. Some responders omit the actual signer's
certificate from the response: this option can be used
to supply the necessary certificate in such cases.
But why I need to provide '-verify_other chain.pem'
with issuer certificate?
As I understand, RFC 6960 tell what only issuer certificate
is required for OCSP response verification.
Looks like this is bug in OpenSSL library / openssl ocsp utility.
--
Best regards,
Gena
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
