headers
Ulf Wahlqvist | 27 Jul 2010 16:43
Favicon

OCSP-validation fails

Hi

I'm trying to get Apache to do Client certificate verification with OCSP-validation.
It works without OCSP, but OCSP-validation fails when I turn it on.

The error is "OCSP_check_validity:status too old", but that doesn't make sense because the clocks are
within 2 seconds. 
The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response says "Mon, 26 Jul 2010 13:50:05
GMT" which is the same time.

//// Can there be a problem with comparing timestamps?

A more likely problem might be that the OCSP-responder require a SIGNED message, but I don't understand how
to get Apache to sign it. Some European OCSP-responders seems to accept only signed requests and I'm
trying to find out if this is one of them.

//// Will Apache be able to sign OCSP-requests ( In that case - How do I pass the cert/key) ? 

** my config
************************************************************************************************************************************* 

[root <at> fedoragui logs]# httpd -v
Server version: Apache/2.3.6 (Unix)
Server built:   Jul 16 2010 15:31:39

[root <at> fedoragui logs]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010

./configure --enable-ssl
(Continue reading)

Permalink | Reply |
headers
Ulf Wahlqvist | 29 Jul 2010 12:56
Favicon

RE: OCSP-validation fails - UPDATE

I have now verified that if I use openssl directly from command line it will verify OK. Apparently there is no
need for signing the request.  

>openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text -url http://ocsp.trust.telia.com
.
.
.
.
Response verify OK
/mnt/download/uwcert.cer: good
	This Update: Jul 29 10:43:41 2010 GMT
	Next Update: Jul 30 10:43:45 2010 GMT

/ulfW

-----Original Message-----
From: owner-modssl-users <at> modssl.org [mailto:owner-modssl-users <at> modssl.org] On Behalf Of Ulf Wahlqvist
Sent: den 27 juli 2010 16:43
To: modssl-users <at> modssl.org
Subject: OCSP-validation fails

Hi

I'm trying to get Apache to do Client certificate verification with OCSP-validation.
It works without OCSP, but OCSP-validation fails when I turn it on.

The error is "OCSP_check_validity:status too old", but that doesn't make sense because the clocks are
within 2 seconds. 
The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response says "Mon, 26 Jul 2010 13:50:05
(Continue reading)

Permalink | Reply |
headers
Ulf Wahlqvist | 17 Aug 2010 12:47
Favicon

RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache

I still don't get it. I used Wireshark and found out that the certificate sent to the OCSP-responder is the
CA-cert, not the client-cert to be validated! I am clueless.

Online Certificate Status Protocol
    tbsRequest
        requestList: 1 item
            Request
                reqCert
                    hashAlgorithm (SHA-1)
                        Algorithm Id: 1.3.14.3.2.26 (SHA-1)
                    issuerNameHash: 3183A656588CA87A8D663E5721EF4BC860D9EC86
                    issuerKeyHash: 7C2E39233244E80F4E66F20D28FE40BEC2B6E2A0
                    serialNumber : 0x1bd40ed434d1da15a6003015024da46c <- THIS IS THE SERIALNUMBER FOR THE CA-CERT

/ulfW

PS Is this mailing list active? 
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply |
headers
Joe Orton | 17 Aug 2010 16:00
Picon
Favicon

Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache

On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote:
> I still don't get it. I used Wireshark and found out that the 
> certificate sent to the OCSP-responder is the CA-cert, not the 
> client-cert to be validated! I am clueless.

The code tries to verify each cert in the client cert chain from issuing 
CA down to the end-entity client cert with the OCSP responder - this is 
expected behaviour.

The modssl-users <at>  was used for discussion of mod_ssl for Apache httpd 
1.3.  For discussion of OCSP in httpd 2.3 I'd recommend 
users <at> httpd.apache.org - file bugs if you think the code is buggy.

http://issues.apache.org/bugzilla/

Regards, Joe
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply |
headers
Ulf Wahlqvist | 18 Aug 2010 08:03
Favicon

RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache

Thanks,

Why didn't I check that? Well, I made it validate correctly by doing a very strange and not usable
workaround. I believe something is broken.
I followed your suggestion and posted a more complete entry to the users <at> httpd.apache.org list. I will
file a bug report if no one can point out any errors I have made.

/ulfW


-----Original Message-----
From: Joe Orton [mailto:jorton <at> redhat.com]
Sent: den 17 augusti 2010 16:01
To: Ulf Wahlqvist
Cc: modssl-users <at> modssl.org
Subject: Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache

On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote:
> I still don't get it. I used Wireshark and found out that the 
> certificate sent to the OCSP-responder is the CA-cert, not the 
> client-cert to be validated! I am clueless.

The code tries to verify each cert in the client cert chain from issuing CA down to the end-entity client cert
with the OCSP responder - this is expected behaviour.

The modssl-users <at>  was used for discussion of mod_ssl for Apache httpd 1.3.  For discussion of OCSP in httpd
2.3 I'd recommend users <at> httpd.apache.org - file bugs if you think the code is buggy.

http://issues.apache.org/bugzilla/
(Continue reading)

Permalink | Reply |

Gmane