Re: [ipxe-devel] ipxe.org OSCP server check

2023-11-01 Thread Geert Stappers via ipxe-devel
On Mon, Oct 30, 2023 at 08:47:31PM +, Geert Stappers via ipxe-devel wrote:
> On Mon, Sep 04, 2023 at 11:21:00AM +, Michael Brown via ipxe-devel wrote:
> > 
> > When using the openssl tools, you need to specify the iPXE root CA as the
> > root of trust in order to match iPXE's verification results.  For the ocsp
> > subcommand, the relevant option is "-CAfile".  For example:
> > 
> >   $ wget -q https://ca.ipxe.org/ca.crt
> >   $ wget -q https://ca.ipxe.org/cross-ca.crt
> >   $ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt
> > 
> >   $ openssl ocsp -CAfile ca.crt -issuer ca.crt \
> >  -cert cross-ca.crt \
> >  -url http://ocsp.ipxe.org/ocsp/root/
> >   Response verify OK
> >   cross-ca.crt: good
> >   This Update: Sep  1 11:01:57 2023 GMT
> >   Next Update: Sep  4 11:22:25 2023 GMT
> > 
> >   $ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \
> >  -cert cross-gts-root-r4.crt \
> >  -url http://ocsp.ipxe.org/ocsp/cross/
> >   Response verify OK
> >   cross-digicert-assured-id-root-ca.crt: good
> >   This Update: Sep  1 11:02:47 2023 GMT
> >   Next Update: Sep  4 11:22:43 2023 GMT
> > 
> 
> Ah, thanks, for future "copy and paste":
> 
> 8<---8<---8<---
> 
> wget -q https://ca.ipxe.org/ca.crt
> wget -q https://ca.ipxe.org/cross-ca.crt
> wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt
> 
> ls -ltr  *.crt
> 
> openssl ocsp -CAfile ca.crt -issuer ca.crt \
>  -cert cross-ca.crt \
>  -url http://ocsp.ipxe.org/ocsp/root/
> 
> openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \
>  -cert cross-gts-root-r4.crt \
>  -url http://ocsp.ipxe.org/ocsp/cross/
> 
> echo rm *.crt
>  
> 8<---8<---8<---
> 
> Output I got today:
> 
> 
> -rw-r--r-- 1 stappers stappers 1383 18 mrt  2012 ca.crt
> -rw-r--r-- 1 stappers stappers 1229 29 feb  2016 cross-ca.crt
> -rw--- 1 stappers stappers 1180  1 okt 10:36 cross-gts-root-r4.crt
> Response verify OK
> cross-ca.crt: good
>   This Update: Oct  1 08:01:19 2023 GMT
>   Next Update: Oct 30 20:39:51 2023 GMT
> Response verify OK
> cross-gts-root-r4.crt: good
>   This Update: Oct  1 08:36:38 2023 GMT
>   Next Update: Oct 30 20:39:51 2023 GMT
> rm ca.crt cross-ca.crt cross-gts-root-r4.crt
> 
> 
> 
> Groeten
> Geert Stappers
> Back in a few days


-rw-r--r-- 1 stappers stappers 1383 18 mrt  2012 ca.crt
-rw-r--r-- 1 stappers stappers 1229 29 feb  2016 cross-ca.crt
-rw-r--r-- 1 stappers stappers 1180  1 nov 13:39 cross-gts-root-r4.crt
Response verify OK
cross-ca.crt: good
This Update: Nov  1 11:59:31 2023 GMT
Next Update: Nov  1 19:37:17 2023 GMT
Response verify OK
cross-gts-root-r4.crt: good
This Update: Nov  1 12:39:02 2023 GMT
Next Update: Nov  1 19:37:17 2023 GMT



Groeten
Geert Stappers
-- 
Silence is hard to parse
___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] ipxe.org OSCP server check

2023-10-30 Thread Geert Stappers via ipxe-devel
On Mon, Sep 04, 2023 at 11:21:00AM +, Michael Brown via ipxe-devel wrote:
> On 03/09/2023 11:11, Geert Stappers via ipxe-devel wrote:
> > When I do
> >
> > How to deal with those verify errors?
> 
> When using the openssl tools, you need to specify the iPXE root CA as the
> root of trust in order to match iPXE's verification results.  For the ocsp
> subcommand, the relevant option is "-CAfile".  For example:
> 
>   $ wget -q https://ca.ipxe.org/ca.crt
>   $ wget -q https://ca.ipxe.org/cross-ca.crt
>   $ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt
> 
>   $ openssl ocsp -CAfile ca.crt -issuer ca.crt \
>  -cert cross-ca.crt \
>  -url http://ocsp.ipxe.org/ocsp/root/
>   Response verify OK
>   cross-ca.crt: good
>   This Update: Sep  1 11:01:57 2023 GMT
>   Next Update: Sep  4 11:22:25 2023 GMT
> 
>   $ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \
>  -cert cross-gts-root-r4.crt \
>  -url http://ocsp.ipxe.org/ocsp/cross/
>   Response verify OK
>   cross-digicert-assured-id-root-ca.crt: good
>   This Update: Sep  1 11:02:47 2023 GMT
>   Next Update: Sep  4 11:22:43 2023 GMT
> 

Ah, thanks, for future "copy and paste":

8<---8<---8<---

wget -q https://ca.ipxe.org/ca.crt
wget -q https://ca.ipxe.org/cross-ca.crt
wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt

ls -ltr  *.crt

openssl ocsp -CAfile ca.crt -issuer ca.crt \
 -cert cross-ca.crt \
 -url http://ocsp.ipxe.org/ocsp/root/

openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \
 -cert cross-gts-root-r4.crt \
 -url http://ocsp.ipxe.org/ocsp/cross/

echo rm *.crt
 
8<---8<---8<---

Output I got today:


-rw-r--r-- 1 stappers stappers 1383 18 mrt  2012 ca.crt
-rw-r--r-- 1 stappers stappers 1229 29 feb  2016 cross-ca.crt
-rw--- 1 stappers stappers 1180  1 okt 10:36 cross-gts-root-r4.crt
Response verify OK
cross-ca.crt: good
This Update: Oct  1 08:01:19 2023 GMT
Next Update: Oct 30 20:39:51 2023 GMT
Response verify OK
cross-gts-root-r4.crt: good
This Update: Oct  1 08:36:38 2023 GMT
Next Update: Oct 30 20:39:51 2023 GMT
rm ca.crt cross-ca.crt cross-gts-root-r4.crt



Groeten
Geert Stappers
Back in a few days
-- 
Silence is hard to parse
___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] ipxe.org OSCP server check

2023-09-04 Thread Michael Brown via ipxe-devel

On 03/09/2023 11:11, Geert Stappers via ipxe-devel wrote:

When I do
   wget http://ca.ipxe.org/cross-ca.crt && \
   wget https://ca.ipxe.org/ca.crt && \
   openssl x509 -in cross-ca.crt -ocsp_uri -noout && \
   openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url 
http://ocsp.ipxe.org/ocsp/root/


I get output that ends with


Response Verify Failure
3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify 
error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:unable to get local issuer 
certificate
3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify 
error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:self signed certificate in 
certificate chain
cross-ca.crt: good
This Update: Sep  1 11:01:57 2023 GMT
Next Update: Sep  3 09:50:03 2023 GMT


How to deal with those verify errors?


When using the openssl tools, you need to specify the iPXE root CA as 
the root of trust in order to match iPXE's verification results.  For 
the ocsp subcommand, the relevant option is "-CAfile".  For example:


  $ wget -q https://ca.ipxe.org/ca.crt
  $ wget -q https://ca.ipxe.org/cross-ca.crt
  $ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt

  $ openssl ocsp -CAfile ca.crt -issuer ca.crt \
 -cert cross-ca.crt \
 -url http://ocsp.ipxe.org/ocsp/root/
  Response verify OK
  cross-ca.crt: good
  This Update: Sep  1 11:01:57 2023 GMT
  Next Update: Sep  4 11:22:25 2023 GMT

  $ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \
 -cert cross-gts-root-r4.crt \
 -url http://ocsp.ipxe.org/ocsp/cross/
  Response verify OK
  cross-digicert-assured-id-root-ca.crt: good
  This Update: Sep  1 11:02:47 2023 GMT
  Next Update: Sep  4 11:22:43 2023 GMT

Michael

___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel