MODSSL: RFC 2560
Hey all, I am wondering if anyone here could point me in the right direction or even assist with a problem I have having. According to RFC 2560: All definitive response messages SHALL be digitally signed. The key used to sign the response MUST belong to one of the following: -- the CA who issued the certificate in question * -- a Trusted Responder whose public key is trusted by the requester* -- a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA I have Root CA1(RCA1), and Root Ca2(RCA2). also, I have Intermediate Authority 1(IA1) and Intermediate Authority 2 (IA2). I have an OCSP signing certificate issued from IA1 (ocsp1). I have apache 2.4 configured with trust for rca1, rca2, ia1, ia2 and I am able to use client authentication to login with either client cert 1(cc1), or Clicnet Cert 2(cc2). However, when I enable OCSP it acts differently: SSLVerifyClient on SSLVerifyDepth 4 SSLOCSPEnable on SSLOCSPDefaultResponder http://rsp.domain.com:80/ SSLOCSPOverrideResponder on I am able to successfully validate cc1 and any other client certificates issued from ia1. However, when I try to use cc2, I get the following error: *SSL Library Error: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted* Looking at a post in the past: http://openssl.6102.n7.nabble.com/OCSP-basic-verify-root-ca-not-trusted-td24451.html it seems that the RFC should allow me to explicitly declare a trusted responder certificate for the client machine (in this case the client is the httpd 2.4 server). However it doesn't seem that mod_ssl allows me to declare this. I would like to know: Am i right in thinking I should be able to do this? Who currently supports mod_ssl and how would i present a change request? Does mod_ssl currently support this feature unbenounced to me? if not, would anyone be willing to teach me how to modify mod_ssl to support something like: *'SSLOCSPTrusted_responder /etc/pki/tls/certs/trustedresponder.pem'* Other applications like openssl and corestreet desktop validation client allow you to explicitly configure a trusted responder cert. eg: openssl ocsp -CAfile rca2-issuer ia2 -cert cc2 -VAfile ocsp1 -url http://rsp.domain.com:80 cc2: good This Update: Jan 14 10:02:14 2014 GMT Next Update: Feb 14 10:02:14 2014 GMT -- View this message in context: http://openssl.6102.n7.nabble.com/MODSSL-RFC-2560-tp48136.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: MODSSL: RFC 2560
On Tue, Jan 14, 2014, socket wrote: Hey all, I am wondering if anyone here could point me in the right direction or even assist with a problem I have having. According to RFC 2560: All definitive response messages SHALL be digitally signed. The key used to sign the response MUST belong to one of the following: -- the CA who issued the certificate in question * -- a Trusted Responder whose public key is trusted by the requester* -- a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA I have Root CA1(RCA1), and Root Ca2(RCA2). also, I have Intermediate Authority 1(IA1) and Intermediate Authority 2 (IA2). I have an OCSP signing certificate issued from IA1 (ocsp1). I have apache 2.4 configured with trust for rca1, rca2, ia1, ia2 and I am able to use client authentication to login with either client cert 1(cc1), or Clicnet Cert 2(cc2). However, when I enable OCSP it acts differently: SSLVerifyClient on SSLVerifyDepth 4 SSLOCSPEnable on SSLOCSPDefaultResponder http://rsp.domain.com:80/ SSLOCSPOverrideResponder on I am able to successfully validate cc1 and any other client certificates issued from ia1. However, when I try to use cc2, I get the following error: *SSL Library Error: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted* It isn't entirely clear which certificate belongs to which chain and what the chains are. I'd say from your description that one client certificate supports the OCSP delegated model directly and doesn't need explicit trust while the other does not. It should be possible to add explicit trust to the root CA. See the ocsp manual page for OpenSSL for details. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: MODSSL: RFC 2560
What I am saying is that one falls into the delegated trust model, and one does not, but I should be able to validate either because RFC 2560 allows for a Trusted Responder whose public key is trusted by the requester. I am asking if mod_ssl in apache 2.4.x is RFC compliant. it seems to me openssl supports this explicitly via the -VAflag, but mod_ssl doesn't. *Trustpoint 1:* [root@va][/usr/local/apache2/conf] openssl verify -CAfile rca1 cc1 cc1: OK [root@va][/usr/local/apache2/conf] openssl ocsp -CAfile rca1 -issuer rca1 -cert cc1 -no_nonce -url http://localhost:3503 Response verify OK cc1: good This Update: Jan 10 21:16:11 2014 GMT Next Update: Jan 18 09:36:11 2014 GMT *Trust Point 2:* [root@va][/usr/local/apache2/conf] openssl verify -CAfile rca2 ia2 ia2: OK [root@va][/usr/local/apache2/conf] openssl verify -CAfile rca2 cc2 cc2: OK [root@va][/usr/local/apache2/conf] openssl ocsp -CAfile rca2 -issuer ia2 -cert cc2 -no_nonce -url http://localhost:3503 Response Verify Failure 140278240200520:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate cc2: good This Update: Jan 14 10:02:14 2014 GMT Next Update: Feb 14 10:02:14 2014 GMT *But if i explicitly declare the trusted VA:*I get no errors. [root@va][/usr/local/apache2/conf] openssl ocsp -CAfile rca2 -issuer ia2 -cert cc2 -no_nonce *-VAfile ocsp1* -url http://localhost:3503 Response verify OK cc2: good This Update: Jan 14 10:02:14 2014 GMT Next Update: Feb 14 10:02:14 2014 GMT -- View this message in context: http://openssl.6102.n7.nabble.com/MODSSL-RFC-2560-tp48136p48141.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: MODSSL: RFC 2560
On Tue, Jan 14, 2014, socket wrote: What I am saying is that one falls into the delegated trust model, and one does not, but I should be able to validate either because RFC 2560 allows for a Trusted Responder whose public key is trusted by the requester. I am asking if mod_ssl in apache 2.4.x is RFC compliant. it seems to me openssl supports this explicitly via the -VAflag, but mod_ssl doesn't. You don't need the -VAflag option. You can add explicit trust to the root PEM file of the responder chain. See the ocsp manual page for details. If you include that trusted root CA PEM file in the mod_ssl trusted certificate store it should work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] MODSSL: RFC 2560
Bonsoir, Le 14/01/2014 19:44, socket a écrit : Hey all, I am wondering if anyone here could point me in the right direction or even assist with a problem I have having. According to RFC 2560: All definitive response messages SHALL be digitally signed. The key used to sign the response MUST belong to one of the following: -- the CA who issued the certificate in question * -- a Trusted Responder whose public key is trusted by the requester* -- a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA [...] I am able to successfully validate cc1 and any other client certificates issued from ia1. However, when I try to use cc2, I get the following error: *SSL Library Error: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted* Looking at a post in the past: http://openssl.6102.n7.nabble.com/OCSP-basic-verify-root-ca-not-trusted-td24451.html it seems that the RFC should allow me to explicitly declare a trusted responder certificate for the client machine (in this case the client is the httpd 2.4 server). However it doesn't seem that mod_ssl allows me to declare this. I would like to know: Am i right in thinking I should be able to do this? That's a strange question. You *want* to do this, so you have to find a software that allows this. If you randomly chose a software that doesn't, you may have some hard time explaining that this software *should* allow this. Who currently supports mod_ssl and how would i present a change request? mod_ssl is part of Apache HTTP server, so it's fully maintained by the Apache foundation, you should visit http://projects.apache.org/projects/http_server.html Does mod_ssl currently support this feature unbenounced to me? It seems it doesn't, but I only looked at the documentation, not the source code. if not, would anyone be willing to teach me how to modify mod_ssl to support something like: *'SSLOCSPTrusted_responder /etc/pki/tls/certs/trustedresponder.pem'* You'll have to learn how Apache modules are coded, add a configuration directive for mod_ssl, add a field in this module's config structure to hold the VA file, and use whatever this field contains when OCSP validation happens (that's where OpenSSL comes in). Optionally, you may find interesting to contribute your enhancement back to Apache httpd, or you'll have to apply your patch each time you want to upgrade your httpd version for security reasons. I bought The Apache Modules Book, by Nick Kew, and found it helpful for my projects. Working with OpenSSL since its very beginning helps a lot. Other applications like openssl and corestreet desktop validation client allow you to explicitly configure a trusted responder cert. eg: openssl ocsp -CAfile rca2-issuer ia2 -cert cc2 -VAfile ocsp1 -url http://rsp.domain.com:80 That means the PKI core (OpenSSL) is able to do what you're looking for. That's a good start.
