Re: [ipxe-devel] ipxe.org OSCP server check
On Mon, Oct 30, 2023 at 08:47:31PM +, Geert Stappers via ipxe-devel wrote: > On Mon, Sep 04, 2023 at 11:21:00AM +, Michael Brown via ipxe-devel wrote: > > > > When using the openssl tools, you need to specify the iPXE root CA as the > > root of trust in order to match iPXE's verification results. For the ocsp > > subcommand, the relevant option is "-CAfile". For example: > > > > $ wget -q https://ca.ipxe.org/ca.crt > > $ wget -q https://ca.ipxe.org/cross-ca.crt > > $ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt > > > > $ openssl ocsp -CAfile ca.crt -issuer ca.crt \ > > -cert cross-ca.crt \ > > -url http://ocsp.ipxe.org/ocsp/root/ > > Response verify OK > > cross-ca.crt: good > > This Update: Sep 1 11:01:57 2023 GMT > > Next Update: Sep 4 11:22:25 2023 GMT > > > > $ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \ > > -cert cross-gts-root-r4.crt \ > > -url http://ocsp.ipxe.org/ocsp/cross/ > > Response verify OK > > cross-digicert-assured-id-root-ca.crt: good > > This Update: Sep 1 11:02:47 2023 GMT > > Next Update: Sep 4 11:22:43 2023 GMT > > > > Ah, thanks, for future "copy and paste": > > 8<---8<---8<--- > > wget -q https://ca.ipxe.org/ca.crt > wget -q https://ca.ipxe.org/cross-ca.crt > wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt > > ls -ltr *.crt > > openssl ocsp -CAfile ca.crt -issuer ca.crt \ > -cert cross-ca.crt \ > -url http://ocsp.ipxe.org/ocsp/root/ > > openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \ > -cert cross-gts-root-r4.crt \ > -url http://ocsp.ipxe.org/ocsp/cross/ > > echo rm *.crt > > 8<---8<---8<--- > > Output I got today: > > > -rw-r--r-- 1 stappers stappers 1383 18 mrt 2012 ca.crt > -rw-r--r-- 1 stappers stappers 1229 29 feb 2016 cross-ca.crt > -rw--- 1 stappers stappers 1180 1 okt 10:36 cross-gts-root-r4.crt > Response verify OK > cross-ca.crt: good > This Update: Oct 1 08:01:19 2023 GMT > Next Update: Oct 30 20:39:51 2023 GMT > Response verify OK > cross-gts-root-r4.crt: good > This Update: Oct 1 08:36:38 2023 GMT > Next Update: Oct 30 20:39:51 2023 GMT > rm ca.crt cross-ca.crt cross-gts-root-r4.crt > > > > Groeten > Geert Stappers > Back in a few days -rw-r--r-- 1 stappers stappers 1383 18 mrt 2012 ca.crt -rw-r--r-- 1 stappers stappers 1229 29 feb 2016 cross-ca.crt -rw-r--r-- 1 stappers stappers 1180 1 nov 13:39 cross-gts-root-r4.crt Response verify OK cross-ca.crt: good This Update: Nov 1 11:59:31 2023 GMT Next Update: Nov 1 19:37:17 2023 GMT Response verify OK cross-gts-root-r4.crt: good This Update: Nov 1 12:39:02 2023 GMT Next Update: Nov 1 19:37:17 2023 GMT Groeten Geert Stappers -- Silence is hard to parse ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] ipxe.org OSCP server check
On Mon, Sep 04, 2023 at 11:21:00AM +, Michael Brown via ipxe-devel wrote: > On 03/09/2023 11:11, Geert Stappers via ipxe-devel wrote: > > When I do > > > > How to deal with those verify errors? > > When using the openssl tools, you need to specify the iPXE root CA as the > root of trust in order to match iPXE's verification results. For the ocsp > subcommand, the relevant option is "-CAfile". For example: > > $ wget -q https://ca.ipxe.org/ca.crt > $ wget -q https://ca.ipxe.org/cross-ca.crt > $ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt > > $ openssl ocsp -CAfile ca.crt -issuer ca.crt \ > -cert cross-ca.crt \ > -url http://ocsp.ipxe.org/ocsp/root/ > Response verify OK > cross-ca.crt: good > This Update: Sep 1 11:01:57 2023 GMT > Next Update: Sep 4 11:22:25 2023 GMT > > $ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \ > -cert cross-gts-root-r4.crt \ > -url http://ocsp.ipxe.org/ocsp/cross/ > Response verify OK > cross-digicert-assured-id-root-ca.crt: good > This Update: Sep 1 11:02:47 2023 GMT > Next Update: Sep 4 11:22:43 2023 GMT > Ah, thanks, for future "copy and paste": 8<---8<---8<--- wget -q https://ca.ipxe.org/ca.crt wget -q https://ca.ipxe.org/cross-ca.crt wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt ls -ltr *.crt openssl ocsp -CAfile ca.crt -issuer ca.crt \ -cert cross-ca.crt \ -url http://ocsp.ipxe.org/ocsp/root/ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \ -cert cross-gts-root-r4.crt \ -url http://ocsp.ipxe.org/ocsp/cross/ echo rm *.crt 8<---8<---8<--- Output I got today: -rw-r--r-- 1 stappers stappers 1383 18 mrt 2012 ca.crt -rw-r--r-- 1 stappers stappers 1229 29 feb 2016 cross-ca.crt -rw--- 1 stappers stappers 1180 1 okt 10:36 cross-gts-root-r4.crt Response verify OK cross-ca.crt: good This Update: Oct 1 08:01:19 2023 GMT Next Update: Oct 30 20:39:51 2023 GMT Response verify OK cross-gts-root-r4.crt: good This Update: Oct 1 08:36:38 2023 GMT Next Update: Oct 30 20:39:51 2023 GMT rm ca.crt cross-ca.crt cross-gts-root-r4.crt Groeten Geert Stappers Back in a few days -- Silence is hard to parse ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] ipxe.org OSCP server check
On 03/09/2023 11:11, Geert Stappers via ipxe-devel wrote: When I do wget http://ca.ipxe.org/cross-ca.crt && \ wget https://ca.ipxe.org/ca.crt && \ openssl x509 -in cross-ca.crt -ocsp_uri -noout && \ openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url http://ocsp.ipxe.org/ocsp/root/ I get output that ends with Response Verify Failure 3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:unable to get local issuer certificate 3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:self signed certificate in certificate chain cross-ca.crt: good This Update: Sep 1 11:01:57 2023 GMT Next Update: Sep 3 09:50:03 2023 GMT How to deal with those verify errors? When using the openssl tools, you need to specify the iPXE root CA as the root of trust in order to match iPXE's verification results. For the ocsp subcommand, the relevant option is "-CAfile". For example: $ wget -q https://ca.ipxe.org/ca.crt $ wget -q https://ca.ipxe.org/cross-ca.crt $ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt $ openssl ocsp -CAfile ca.crt -issuer ca.crt \ -cert cross-ca.crt \ -url http://ocsp.ipxe.org/ocsp/root/ Response verify OK cross-ca.crt: good This Update: Sep 1 11:01:57 2023 GMT Next Update: Sep 4 11:22:25 2023 GMT $ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \ -cert cross-gts-root-r4.crt \ -url http://ocsp.ipxe.org/ocsp/cross/ Response verify OK cross-digicert-assured-id-root-ca.crt: good This Update: Sep 1 11:02:47 2023 GMT Next Update: Sep 4 11:22:43 2023 GMT Michael ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel