httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 49784] OCSP-validation fails with cert that validates correctly using OpenSSL directly
Date Fri, 27 Aug 2010 15:23:54 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=49784

--- Comment #4 from ulf wahlqvist <ulf.wahlqvist@cybercomgroup.com> 2010-08-27 11:23:50
EDT ---
(In reply to comment #3)
> (In reply to comment #2)
> > 
> > I have verified that if I use openssl directly from command line it will verify
> > OK. 
> > >openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile 
> > >/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer 
> > >-text -url http://ocsp.trust.telia.com
> > .
> > .
> > Response verify OK
> > /mnt/download/uwcert.cer: good
> >         This Update: Jul 29 10:43:41 2010 GMT
> >         Next Update: Jul 30 10:43:45 2010 GMT
> > 
> 
> The (currently fixed) parameters set in Apache for OCSP response validation
> require that This Update is not more than 10 minutes in the past. Check the
> command line switch -status_age 360 with openssl and see if you get the same
> error.

You where right - that is the problem:

[root@fedoragui crl]# openssl ocsp -issuer
/usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text
-url http://ocsp.trust.telia.com -status_age 360
.
.
.
Response verify OK
/mnt/download/uwcert.cer: WARNING: Status times invalid.
3079378652:error:2707307F:OCSP routines:OCSP_check_validity:status too
old:ocsp_cl.c:338:
good
    This Update: Aug 27 14:13:55 2010 GMT
    Next Update: Aug 28 14:13:58 2010 GMT
[root@fedoragui crl]# date
Fri Aug 27 14:49:36 GMT 2010

I then tested with -validity_period 60 and it works:

[root@fedoragui crl]# openssl ocsp -issuer
/usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text
-url http://ocsp.trust.telia.com -validity_period 60
.
.
.
Response verify OK
/mnt/download/uwcert.cer: good
    This Update: Aug 27 14:13:55 2010 GMT
    Next Update: Aug 28 14:13:58 2010 GMT
[root@fedoragui crl]# openssl ocsp -issuer
/usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text
-url http://ocsp.trust.telia.com -validity_period 60

I thought that -status_age was the same as -validity_period, but I now suspect
that -validity_period is how old the response is and -status_age is "when the
crl-list that the responder is using was timestamped". I then waited until I
got another "This Update"-timestamp and got the successful verification and
also SUCCEEDED to AUTHENTICATE in my browser.

[root@fedoragui crl]# openssl ocsp -issuer
/usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text
-url http://ocsp.trust.telia.com -status_age 360

Response verify OK
/mnt/download/uwcert.cer: good
    This Update: Aug 27 14:51:18 2010 GMT
    Next Update: Aug 28 14:51:21 2010 GMT
[root@fedoragui crl]# date
Fri Aug 27 14:55:07 GMT 2010


The 10 minutes limit is definitely a problem for me, because "This update" is
updated infrequently:

This Update: Aug 27 13:55:10 2010 GMT
This Update: Aug 27 14:13:55 2010 GMT
This Update: Aug 27 14:51:18 2010 GMT

I guess that it is updated "on demand", when something changes and not
periodically.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message