Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

sqldatasource dal, wwwxxxenden, convert raid5 to raid 10 mdadm, apache force chunked, nrao wwwxxx, xxxxxdup, procmail change subject header, wwwXxx not20, Wwwxxx.doks sas, linux raid resync after reboot

Links

XODOX
Impressum

#1: OCSP-validation fails

Posted on 2010-07-27 16:43:02 by Ulf Wahlqvist

Hi


I'm trying to get Apache to do Client certificate verification with OCSP-va=
lidation.
It works without OCSP, but OCSP-validation fails when I turn it on.

The error is "OCSP_check_validity:status too old", but that doesn't make se=
nse because the clocks are within 2 seconds.=20
The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response=
says "Mon, 26 Jul 2010 13:50:05 GMT" which is the same time.

//// Can there be a problem with comparing timestamps?

A more likely problem might be that the OCSP-responder require a SIGNED mes=
sage, but I don't understand how to get Apache to sign it. Some European OC=
SP-responders seems to accept only signed requests and I'm trying to find o=
ut if this is one of them.

//// Will Apache be able to sign OCSP-requests ( In that case - How do I pa=
ss the cert/key) ?=20

** my config ************************************************************ **=
************************************************************ ***********=20

[root@fedoragui logs]# httpd -v
Server version: Apache/2.3.6 (Unix)
Server built:   Jul 16 2010 15:31:39

[root@fedoragui logs]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010

../configure --enable-ssl


** error_log ************************************************************ **=
************************************************************ ***********

[Mon Jul 26 15:50:05.782378 2010] [info] [pid 9164:tid 3053448048] [client =
10.0.2.2:2112] Connection to child 193 established (server fedoragui.mydoma=
in.com:443)
[Mon Jul 26 15:50:06.461652 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(79): [client 10.0.2.2:2112] connecting to OCSP responder 'ocsp.tru=
st.telia.com'
[Mon Jul 26 15:50:06.466167 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(105): [client 10.0.2.2:2112] sending request to OCSP responder
[Mon Jul 26 15:50:06.488292 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Date: Mon, 26 J=
ul 2010 13:50:05 GMT
[Mon Jul 26 15:50:06.493946 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Server: Apache
[Mon Jul 26 15:50:06.494352 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Length:=
1264
[Mon Jul 26 15:50:06.494828 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Connection: clo=
se
[Mon Jul 26 15:50:06.495071 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Type: a=
pplication/ocsp-response
[Mon Jul 26 15:50:06.495303 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(252): [client 10.0.2.2:2112] OCSP response: got 1264 bytes, 1264 t=
otal
[Mon Jul 26 15:50:06.498272 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(235): [client 10.0.2.2:2112] OCSP response: got EOF
[Mon Jul 26 15:50:06.500184 2010] [error] [pid 9164:tid 3053448048] SSL Lib=
rary Error: error:2707307F:OCSP routines:OCSP_check_validity:status too old
[Mon Jul 26 15:50:06.504012 2010] [error] [pid 9164:tid 3053448048] [client=
10.0.2.2:2112] Certificate Verification: Error (50): application verificat=
ion failure
[Mon Jul 26 15:50:06.504430 2010] [info] [pid 9164:tid 3053448048] [client =
10.0.2.2:2112] SSL library error 1 in handshake (server fedoragui.mydomain.=
com:443)

/ulfW

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Report this message

#2: RE: OCSP-validation fails - UPDATE

Posted on 2010-07-29 12:56:45 by Ulf Wahlqvist

I have now verified that if I use openssl directly from command line it wil=
l verify OK. Apparently there is no need for signing the request. =20

>openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile /usr/=
local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text -ur=
l http://ocsp.trust.telia.com
..
..
..
..
Response verify OK
/mnt/download/uwcert.cer: good
This Update: Jul 29 10:43:41 2010 GMT
Next Update: Jul 30 10:43:45 2010 GMT

/ulfW



-----Original Message-----
From: owner-modssl-users@modssl.org [mailto:owner-modssl-users@modssl.org] =
On Behalf Of Ulf Wahlqvist
Sent: den 27 juli 2010 16:43
To: modssl-users@modssl.org
Subject: OCSP-validation fails

Hi


I'm trying to get Apache to do Client certificate verification with OCSP-va=
lidation.
It works without OCSP, but OCSP-validation fails when I turn it on.

The error is "OCSP_check_validity:status too old", but that doesn't make se=
nse because the clocks are within 2 seconds.=20
The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response=
says "Mon, 26 Jul 2010 13:50:05 GMT" which is the same time.

//// Can there be a problem with comparing timestamps?

A more likely problem might be that the OCSP-responder require a SIGNED mes=
sage, but I don't understand how to get Apache to sign it. Some European OC=
SP-responders seems to accept only signed requests and I'm trying to find o=
ut if this is one of them.

//// Will Apache be able to sign OCSP-requests ( In that case - How do I pa=
ss the cert/key) ?=20

** my config ************************************************************ **=
************************************************************ ***********=20

[root@fedoragui logs]# httpd -v
Server version: Apache/2.3.6 (Unix)
Server built:   Jul 16 2010 15:31:39

[root@fedoragui logs]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010

../configure --enable-ssl


** error_log ************************************************************ **=
************************************************************ ***********

[Mon Jul 26 15:50:05.782378 2010] [info] [pid 9164:tid 3053448048] [client =
10.0.2.2:2112] Connection to child 193 established (server fedoragui.mydoma=
in.com:443) [Mon Jul 26 15:50:06.461652 2010] [debug] [pid 9164:tid 3053448=
048] ssl_util_ocsp.c(79): [client 10.0.2.2:2112] connecting to OCSP respond=
er 'ocsp.trust.telia.com'
[Mon Jul 26 15:50:06.466167 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(105): [client 10.0.2.2:2112] sending request to OCSP responder [Mo=
n Jul 26 15:50:06.488292 2010] [debug] [pid 9164:tid 3053448048] ssl_util_o=
csp.c(209): [client 10.0.2.2:2112] OCSP response header: Date: Mon, 26 Jul =
2010 13:50:05 GMT [Mon Jul 26 15:50:06.493946 2010] [debug] [pid 9164:tid 3=
053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response heade=
r: Server: Apache [Mon Jul 26 15:50:06.494352 2010] [debug] [pid 9164:tid 3=
053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response heade=
r: Content-Length: 1264 [Mon Jul 26 15:50:06.494828 2010] [debug] [pid 9164=
:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response=
header: Connection: close [Mon Jul 26 15:50:06.495071 2010] [debug] [pid 9=
164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP respo=
nse header: Content-Type: application/ocsp-response [Mon Jul 26 15:50:06.49=
5303 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(252): [client =
10.0.2.2:2112] OCSP response: got 1264 bytes, 1264 total [Mon Jul 26 15:50:=
06.498272 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(235): [cl=
ient 10.0.2.2:2112] OCSP response: got EOF [Mon Jul 26 15:50:06.500184 2010=
] [error] [pid 9164:tid 3053448048] SSL Library Error: error:2707307F:OCSP =
routines:OCSP_check_validity:status too old [Mon Jul 26 15:50:06.504012 201=
0] [error] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Certificate Ver=
ification: Error (50): application verification failure [Mon Jul 26 15:50:0=
6.504430 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] SSL =
library error 1 in handshake (server fedoragui.mydomain.com:443)

/ulfW

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Report this message

#3: RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache

Posted on 2010-08-17 12:47:26 by Ulf Wahlqvist

I still don't get it. I used Wireshark and found out that the certificate s=
ent to the OCSP-responder is the CA-cert, not the client-cert to be validat=
ed! I am clueless.


Online Certificate Status Protocol
tbsRequest
requestList: 1 item
Request
reqCert
hashAlgorithm (SHA-1)
Algorithm Id: 1.3.14.3.2.26 (SHA-1)
issuerNameHash: 3183A656588CA87A8D663E5721EF4BC860D9EC8=
6
issuerKeyHash: 7C2E39233244E80F4E66F20D28FE40BEC2B6E2A0
serialNumber : 0x1bd40ed434d1da15a6003015024da46c <- TH=
IS IS THE SERIALNUMBER FOR THE CA-CERT

/ulfW

PS Is this mailing list active?=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Report this message

#4: Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache

Posted on 2010-08-17 16:00:38 by Joe Orton

On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote:
> I still don't get it. I used Wireshark and found out that the
> certificate sent to the OCSP-responder is the CA-cert, not the
> client-cert to be validated! I am clueless.

The code tries to verify each cert in the client cert chain from issuing
CA down to the end-entity client cert with the OCSP responder - this is
expected behaviour.

The modssl-users@ was used for discussion of mod_ssl for Apache httpd
1.3. For discussion of OCSP in httpd 2.3 I'd recommend
users@httpd.apache.org - file bugs if you think the code is buggy.

http://issues.apache.org/bugzilla/

Regards, Joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Report this message

#5: RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache

Posted on 2010-08-18 08:03:44 by Ulf Wahlqvist

VGhhbmtzLA0KDQpXaHkgZGlkbid0IEkgY2hlY2sgdGhhdD8gV2VsbCwgSSBt YWRlIGl0IHZhbGlk
YXRlIGNvcnJlY3RseSBieSBkb2luZyBhIHZlcnkgc3RyYW5nZSBhbmQgbm90 IHVzYWJsZSB3b3Jr
YXJvdW5kLiBJIGJlbGlldmUgc29tZXRoaW5nIGlzIGJyb2tlbi4NCkkgZm9s bG93ZWQgeW91ciBz
dWdnZXN0aW9uIGFuZCBwb3N0ZWQgYSBtb3JlIGNvbXBsZXRlIGVudHJ5IHRv IHRoZSB1c2Vyc0Bo
dHRwZC5hcGFjaGUub3JnIGxpc3QuIEkgd2lsbCBmaWxlIGEgYnVnIHJlcG9y dCBpZiBubyBvbmUg
Y2FuIHBvaW50IG91dCBhbnkgZXJyb3JzIEkgaGF2ZSBtYWRlLg0KDQovdWxm Vw0KDQoNCi0tLS0t
T3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBKb2UgT3J0b24gW21haWx0 bzpqb3J0b25AcmVk
aGF0LmNvbV0NClNlbnQ6IGRlbiAxNyBhdWd1c3RpIDIwMTAgMTY6MDENClRv OiBVbGYgV2FobHF2
aXN0DQpDYzogbW9kc3NsLXVzZXJzQG1vZHNzbC5vcmcNClN1YmplY3Q6IFJl OiBPQ1NQLXZhbGlk
YXRpb24gZmFpbHMgLSBXcm9uZyBjZXJ0IHBhc3NlZCB0byBPQ1NQIGJ5IEFw YWNoZQ0KDQpPbiBU
dWUsIEF1ZyAxNywgMjAxMCBhdCAxMjo0NzoyNlBNICswMjAwLCBVbGYgV2Fo bHF2aXN0IHdyb3Rl
Og0KPiBJIHN0aWxsIGRvbid0IGdldCBpdC4gSSB1c2VkIFdpcmVzaGFyayBh bmQgZm91bmQgb3V0
IHRoYXQgdGhlIA0KPiBjZXJ0aWZpY2F0ZSBzZW50IHRvIHRoZSBPQ1NQLXJl c3BvbmRlciBpcyB0
aGUgQ0EtY2VydCwgbm90IHRoZSANCj4gY2xpZW50LWNlcnQgdG8gYmUgdmFs aWRhdGVkISBJIGFt
IGNsdWVsZXNzLg0KDQpUaGUgY29kZSB0cmllcyB0byB2ZXJpZnkgZWFjaCBj ZXJ0IGluIHRoZSBj
bGllbnQgY2VydCBjaGFpbiBmcm9tIGlzc3VpbmcgQ0EgZG93biB0byB0aGUg ZW5kLWVudGl0eSBj
bGllbnQgY2VydCB3aXRoIHRoZSBPQ1NQIHJlc3BvbmRlciAtIHRoaXMgaXMg ZXhwZWN0ZWQgYmVo
YXZpb3VyLg0KDQpUaGUgbW9kc3NsLXVzZXJzQCB3YXMgdXNlZCBmb3IgZGlz Y3Vzc2lvbiBvZiBt
b2Rfc3NsIGZvciBBcGFjaGUgaHR0cGQgMS4zLiAgRm9yIGRpc2N1c3Npb24g b2YgT0NTUCBpbiBo
dHRwZCAyLjMgSSdkIHJlY29tbWVuZCB1c2Vyc0BodHRwZC5hcGFjaGUub3Jn IC0gZmlsZSBidWdz
IGlmIHlvdSB0aGluayB0aGUgY29kZSBpcyBidWdneS4NCg0KaHR0cDovL2lz c3Vlcy5hcGFjaGUu
b3JnL2J1Z3ppbGxhLw0KDQpSZWdhcmRzLCBKb2UNCg==
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Report this message