httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 49784] OCSP-validation fails with cert that validates correctly using OpenSSL directly
Date Thu, 19 Aug 2010 15:04:24 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=49784

--- Comment #2 from ulf wahlqvist <ulf.wahlqvist@cybercomgroup.com> 2010-08-19 11:04:21
EDT ---
Description:

Overview:

I'm trying to get Apache to do Client certificate verification with
OCSP-validation.
It works without OCSP, but OCSP-validation fails when I turn it on.
OCSP-validation works when using OpenSSL directly from command-line.
The error is "OCSP_check_validity:status too old", but that doesn't make sense
because the clocks are within 2 seconds. 


Steps to Reproduce:

I use a cardbased certificate issued by Telia for use by locol government etc. 
I'm not using the OCSP-responder address in the certificates "Authority Info
Access" (http://sithsocsp.trust.telia.com), because it is not reachable from my
system. However, the same responder is reachable using another address
(http://ocsp.trust.telia.com).

I have verified that if I use openssl directly from command line it will verify
OK. 
>openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile 
>/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer 
>-text -url http://ocsp.trust.telia.com
.
.
Response verify OK
/mnt/download/uwcert.cer: good
        This Update: Jul 29 10:43:41 2010 GMT
        Next Update: Jul 30 10:43:45 2010 GMT

Tests: 

// Logfiles appended //

CASE 1/ If I set:
SSLOCSPDefaultResponder http://ocsp.trust.telia.com SSLOCSPOverrideResponder on

The validation will fail with "SSL Library Error: error:2707307F:OCSP
routines:OCSP_check_validity:status too old". 
I have set GMT as the timezone and made sure that time is synchronized.
According to the log the time-stamp from my system and the OCSP-responder is
within 1 second.


CASE 2/ If I set:
SSLOCSPDefaultResponder http://ocsp.trust.telia.com

The validation of the first cert in the chain will succeed but the second will
fail with "(110)Connection timed out: could not connect to OCSP responder
'sithsocsp.trust.telia.com'". This is the expected behavior because my computer
does not have access to sithsocsp.trust.telia.com.


CASE 3/ If I set:
SSLOCSPDefaultResponder http://ocsp.trust.telia.com

- Try to authenticate - It will fail as in 2 above.
- Do NOT close the browser (IE, by the way)
- set: SSLOCSPDefaultResponder http://ocsp.trust.telia.com
SSLOCSPOverrideResponder on
- restart using apachectl graceful
- Retry to authenticate - It will now SUCCEED!

I discovered this by accident, but it is reproducible.

Configuration:

[root@fedoragui crl]# uname -a
Linux fedoragui.mydomain.com 2.6.33.5-112.fc13.i686 #1 SMP Thu May 27 03:11:56
UTC 2010 i686 i686 i386 GNU/Linux

[root@fedoragui logs]# httpd -v
Server version: Apache/2.3.6 (Unix)
Server built:   Jul 16 2010 15:31:39

[root@fedoragui logs]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010

Apache configuration:
./configure --enable-ssl

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message