Hi Ulf: My guess is that this isn't an OpenSSL issue, but rather an issue with how the Apache devels have implemented OCSP, so the best mailing list to ask about these kinds of questions is probably the Apache-devel list.
Have fun. Patrick. On July 30, 2010 09:49:10 am Ulf Wahlqvist wrote: > I'm trying to get Apache to do Client certificate verification with > OCSP-validation. It works without OCSP, but OCSP-validation fails when I > turn it on. The error is "OCSP_check_validity:status too old", but that > doesn't make sense because the clocks are within 2 seconds. I have > verified that if I use openssl directly from command line it will verify > OK. > > >openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile > >/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer > >-text -url http://ocsp.trust.telia.com<http://ocsp.trust.telia.com/> > > . > . > . > . > Response verify OK > /mnt/download/uwcert.cer: good > This Update: Jul 29 10:43:41 2010 GMT > Next Update: Jul 30 10:43:45 2010 GMT > //// Where du I start looking?? > /ulfW > > ** my config > ************************************************************************** > *********************************************************** > > [r...@fedoragui logs]# httpd -v > Server version: Apache/2.3.6 (Unix) > Server built: Jul 16 2010 15:31:39 > > [r...@fedoragui logs]# openssl version > OpenSSL 1.0.0a-fips 1 Jun 2010 > ./configure --enable-ssl > > http-ssl.conf: > > SSLCACertificateFile "/usr/local/apache2/conf/SITHS_CA_v3.cer > SSLCARevocationFile "/usr/local/apache2/conf/crl/SITHS_CA_ver_3.crl" > SSLVerifyClient require > SSLVerifyDepth 3 > SSLOCSPEnable on > SSLOCSPDefaultResponder > http://ocsp.trust.telia.com<http://ocsp.trust.telia.com/> > #SSLOCSPOverrideResponder on > > ** error_log > ************************************************************************** > *********************************************************** [Fri Jul 30 > 13:36:02.080681 2010] [info] [pid 2826:tid 3061840752] [client > 10.0.2.2:1440] Connection to child 0 established (server > fedoragui.mydomain.com:443) [Fri Jul 30 13:36:02.089466 2010] [debug] [pid > 2826:tid 3061840752] ssl_engine_io.c(1175): [client 10.0.2.2:1440] > (70014)End of file found: SSL handshake interrupted by system [Hint: Stop > button pressed in browser?!] [Fri Jul 30 13:36:02.090049 2010] [info] [pid > 2826:tid 3061840752] [client 10.0.2.2:1440] Connection closed to child 0 > with abortive shutdown (server fedoragui.mydomain.com:443) [Fri Jul 30 > 13:36:04.549495 2010] [info] [pid 2833:tid 3061840752] [client > 10.0.2.2:1441] Connection to child 128 established (server > fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.230878 2010] [debug] [pid > 2833:tid 3061840752] ssl_util_ocsp.c(79): [client 10.0.2.2:1441] > connecting to OCSP responder 'ocsp.trust.telia.com' [Fri Jul 30 > 13:36:05.235845 2010] [debug] [pid 2833:tid 3061840752] > ssl_util_ocsp.c(105): [client 10.0.2.2:1441] sending request to OCSP > responder [Fri Jul 30 13:36:05.257605 2010] [debug] [pid 2833:tid > 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response > header: Date: Fri, 30 Jul 2010 13:36:04 GMT [Fri Jul 30 13:36:05.257920 > 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client > 10.0.2.2:1441] OCSP response header: Server: Apache [Fri Jul 30 > 13:36:05.258515 2010] [debug] [pid 2833:tid 3061840752] > ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: > Content-Length: 1264 [Fri Jul 30 13:36:05.258767 2010] [debug] [pid > 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP > response header: Connection: close [Fri Jul 30 13:36:05.259001 2010] > [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client > 10.0.2.2:1441] OCSP response header: Content-Type: > application/ocsp-response [Fri Jul 30 13:36:05.259743 2010] [debug] [pid > 2833:tid 3061840752] ssl_util_ocsp.c(252): [client 10.0.2.2:1441] OCSP > response: got 1264 bytes, 1264 total [Fri Jul 30 13:36:05.275967 2010] > [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(235): [client > 10.0.2.2:1441] OCSP response: got EOF [Fri Jul 30 13:36:05.278741 2010] > [error] [pid 2833:tid 3061840752] SSL Library Error: error:2707307F:OCSP > routines:OCSP_check_validity:status too old [Fri Jul 30 13:36:05.279711 > 2010] [error] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] Certificate > Verification: Error (50): application verification failure [Fri Jul 30 > 13:36:05.282013 2010] [info] [pid 2833:tid 3061840752] [client > 10.0.2.2:1441] SSL library error 1 in handshake (server > fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.282958 2010] [info] [pid > 2833:tid 3061840752] SSL Library Error: error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [Fri Jul 30 > 13:36:05.285938 2010] [info] [pid 2911:tid 3040861040] [client > 10.0.2.2:1444] Connection to child 194 established (server > fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.289429 2010] [info] [pid > 2833:tid 3061840752] [client 10.0.2.2:1441] Connection closed to child 128 > with abortive shutdown (server fedoragui.mydomain.com:443) [Fri Jul 30 > 13:36:05.296438 2010] [info] [pid 2911:tid 3040861040] [client > 10.0.2.2:1444] SSL library error 1 in handshake (server > fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.300686 2010] [info] [pid > 2911:tid 3051350896] [client 10.0.2.2:1445] Connection to child 193 > established (server fedoragui.mydomain.com:443) [Fri Jul 30 > 13:36:05.301800 2010] [debug] [pid 2911:tid 3051350896] > ssl_engine_io.c(1175): [client 10.0.2.2:1445] (70014)End of file found: > SSL handshake interrupted by system [Hint: Stop button pressed in > browser?!] [Fri Jul 30 13:36:05.302646 2010] [info] [pid 2911:tid > 3051350896] [client 10.0.2.2:1445] Connection closed to child 193 with > abortive shutdown (server fedoragui.mydomain.com:443) [Fri Jul 30 > 13:36:05.308392 2010] [info] [pid 2911:tid 3040861040] SSL Library Error: > error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not > return a certificate -- No CAs known to server for verification? [Fri Jul > 30 13:36:05.308711 2010] [info] [pid 2911:tid 3040861040] [client > 10.0.2.2:1444] Connection closed to child 194 with abortive shutdown > (server fedoragui.mydomain.com:443) > > /ulfW > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
