Hey all, I am wondering if anyone here could point me in the right direction
or even assist with a problem I have having.
According to RFC 2560:
All definitive response messages SHALL be digitally signed. The key
used to sign the response MUST belong to one of the following:
-- the CA who issued the certificate in question
* -- a Trusted Responder whose public key is trusted by the requester*
-- a CA Designated Responder (Authorized Responder) who holds a
specially marked certificate issued directly by the CA, indicating
that the responder may issue OCSP responses for that CA
I have Root CA1(RCA1), and Root Ca2(RCA2). also, I have Intermediate
Authority 1(IA1) and Intermediate Authority 2 (IA2). I have an OCSP signing
certificate issued from IA1 (ocsp1).
I have apache 2.4 configured with trust for rca1, rca2, ia1, ia2 and I am
able to use client authentication to login with either client cert 1(cc1),
or Clicnet Cert 2(cc2).
However, when I enable OCSP it acts differently:
SSLVerifyClient on
SSLVerifyDepth 4
SSLOCSPEnable on
SSLOCSPDefaultResponder http://rsp.domain.com:80/
SSLOCSPOverrideResponder on
I am able to successfully validate cc1 and any other client certificates
issued from ia1. However, when I try to use cc2, I get the following error:
*SSL Library Error: error:27069070:OCSP routines:OCSP_basic_verify:root ca
not trusted*
Looking at a post in the past:
http://openssl.6102.n7.nabble.com/OCSP-basic-verify-root-ca-not-trusted-td24451.html
it seems that the RFC should allow me to explicitly declare a trusted
responder certificate for the client machine (in this case the client is the
httpd 2.4 server). However it doesn't seem that mod_ssl allows me to declare
this.
I would like to know:
Am i right in thinking I should be able to do this?
Who currently supports mod_ssl and how would i present a change request?
Does mod_ssl currently support this feature unbenounced to me?
if not, would anyone be willing to teach me how to modify mod_ssl to support
something like: *'SSLOCSPTrusted_responder
/etc/pki/tls/certs/trustedresponder.pem'*
Other applications like openssl and corestreet desktop validation client
allow you to explicitly configure a trusted responder cert.
eg: openssl ocsp -CAfile rca2-issuer ia2 -cert cc2 -VAfile ocsp1 -url
http://rsp.domain.com:80
cc2: good
This Update: Jan 14 10:02:14 2014 GMT
Next Update: Feb 14 10:02:14 2014 GMT
--
View this message in context:
http://openssl.6102.n7.nabble.com/MODSSL-RFC-2560-tp48136.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
