OCSP-validation fails

OCSP-validation fails

am 27.07.2010 16:43:02 von Ulf Wahlqvist

Hi


I'm trying to get Apache to do Client certificate verification with OCSP-va=
lidation.
It works without OCSP, but OCSP-validation fails when I turn it on.

The error is "OCSP_check_validity:status too old", but that doesn't make se=
nse because the clocks are within 2 seconds.=20
The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response=
says "Mon, 26 Jul 2010 13:50:05 GMT" which is the same time.

//// Can there be a problem with comparing timestamps?

A more likely problem might be that the OCSP-responder require a SIGNED mes=
sage, but I don't understand how to get Apache to sign it. Some European OC=
SP-responders seems to accept only signed requests and I'm trying to find o=
ut if this is one of them.

//// Will Apache be able to sign OCSP-requests ( In that case - How do I pa=
ss the cert/key) ?=20

** my config ************************************************************ **=
************************************************************ ***********=20

[root@fedoragui logs]# httpd -v
Server version: Apache/2.3.6 (Unix)
Server built:   Jul 16 2010 15:31:39

[root@fedoragui logs]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010

../configure --enable-ssl


** error_log ************************************************************ **=
************************************************************ ***********

[Mon Jul 26 15:50:05.782378 2010] [info] [pid 9164:tid 3053448048] [client =
10.0.2.2:2112] Connection to child 193 established (server fedoragui.mydoma=
in.com:443)
[Mon Jul 26 15:50:06.461652 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(79): [client 10.0.2.2:2112] connecting to OCSP responder 'ocsp.tru=
st.telia.com'
[Mon Jul 26 15:50:06.466167 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(105): [client 10.0.2.2:2112] sending request to OCSP responder
[Mon Jul 26 15:50:06.488292 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Date: Mon, 26 J=
ul 2010 13:50:05 GMT
[Mon Jul 26 15:50:06.493946 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Server: Apache
[Mon Jul 26 15:50:06.494352 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Length:=
1264
[Mon Jul 26 15:50:06.494828 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Connection: clo=
se
[Mon Jul 26 15:50:06.495071 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Type: a=
pplication/ocsp-response
[Mon Jul 26 15:50:06.495303 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(252): [client 10.0.2.2:2112] OCSP response: got 1264 bytes, 1264 t=
otal
[Mon Jul 26 15:50:06.498272 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(235): [client 10.0.2.2:2112] OCSP response: got EOF
[Mon Jul 26 15:50:06.500184 2010] [error] [pid 9164:tid 3053448048] SSL Lib=
rary Error: error:2707307F:OCSP routines:OCSP_check_validity:status too old
[Mon Jul 26 15:50:06.504012 2010] [error] [pid 9164:tid 3053448048] [client=
10.0.2.2:2112] Certificate Verification: Error (50): application verificat=
ion failure
[Mon Jul 26 15:50:06.504430 2010] [info] [pid 9164:tid 3053448048] [client =
10.0.2.2:2112] SSL library error 1 in handshake (server fedoragui.mydomain.=
com:443)

/ulfW

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: OCSP-validation fails - UPDATE

am 29.07.2010 12:56:45 von Ulf Wahlqvist

I have now verified that if I use openssl directly from command line it wil=
l verify OK. Apparently there is no need for signing the request. =20

>openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile /usr/=
local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text -ur=
l http://ocsp.trust.telia.com
..
..
..
..
Response verify OK
/mnt/download/uwcert.cer: good
This Update: Jul 29 10:43:41 2010 GMT
Next Update: Jul 30 10:43:45 2010 GMT

/ulfW



-----Original Message-----
From: owner-modssl-users@modssl.org [mailto:owner-modssl-users@modssl.org] =
On Behalf Of Ulf Wahlqvist
Sent: den 27 juli 2010 16:43
To: modssl-users@modssl.org
Subject: OCSP-validation fails

Hi


I'm trying to get Apache to do Client certificate verification with OCSP-va=
lidation.
It works without OCSP, but OCSP-validation fails when I turn it on.

The error is "OCSP_check_validity:status too old", but that doesn't make se=
nse because the clocks are within 2 seconds.=20
The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response=
says "Mon, 26 Jul 2010 13:50:05 GMT" which is the same time.

//// Can there be a problem with comparing timestamps?

A more likely problem might be that the OCSP-responder require a SIGNED mes=
sage, but I don't understand how to get Apache to sign it. Some European OC=
SP-responders seems to accept only signed requests and I'm trying to find o=
ut if this is one of them.

//// Will Apache be able to sign OCSP-requests ( In that case - How do I pa=
ss the cert/key) ?=20

** my config ************************************************************ **=
************************************************************ ***********=20

[root@fedoragui logs]# httpd -v
Server version: Apache/2.3.6 (Unix)
Server built:   Jul 16 2010 15:31:39

[root@fedoragui logs]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010

../configure --enable-ssl


** error_log ************************************************************ **=
************************************************************ ***********

[Mon Jul 26 15:50:05.782378 2010] [info] [pid 9164:tid 3053448048] [client =
10.0.2.2:2112] Connection to child 193 established (server fedoragui.mydoma=
in.com:443) [Mon Jul 26 15:50:06.461652 2010] [debug] [pid 9164:tid 3053448=
048] ssl_util_ocsp.c(79): [client 10.0.2.2:2112] connecting to OCSP respond=
er 'ocsp.trust.telia.com'
[Mon Jul 26 15:50:06.466167 2010] [debug] [pid 9164:tid 3053448048] ssl_uti=
l_ocsp.c(105): [client 10.0.2.2:2112] sending request to OCSP responder [Mo=
n Jul 26 15:50:06.488292 2010] [debug] [pid 9164:tid 3053448048] ssl_util_o=
csp.c(209): [client 10.0.2.2:2112] OCSP response header: Date: Mon, 26 Jul =
2010 13:50:05 GMT [Mon Jul 26 15:50:06.493946 2010] [debug] [pid 9164:tid 3=
053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response heade=
r: Server: Apache [Mon Jul 26 15:50:06.494352 2010] [debug] [pid 9164:tid 3=
053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response heade=
r: Content-Length: 1264 [Mon Jul 26 15:50:06.494828 2010] [debug] [pid 9164=
:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response=
header: Connection: close [Mon Jul 26 15:50:06.495071 2010] [debug] [pid 9=
164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP respo=
nse header: Content-Type: application/ocsp-response [Mon Jul 26 15:50:06.49=
5303 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(252): [client =
10.0.2.2:2112] OCSP response: got 1264 bytes, 1264 total [Mon Jul 26 15:50:=
06.498272 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(235): [cl=
ient 10.0.2.2:2112] OCSP response: got EOF [Mon Jul 26 15:50:06.500184 2010=
] [error] [pid 9164:tid 3053448048] SSL Library Error: error:2707307F:OCSP =
routines:OCSP_check_validity:status too old [Mon Jul 26 15:50:06.504012 201=
0] [error] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Certificate Ver=
ification: Error (50): application verification failure [Mon Jul 26 15:50:0=
6.504430 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] SSL =
library error 1 in handshake (server fedoragui.mydomain.com:443)

/ulfW

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache

am 17.08.2010 12:47:26 von Ulf Wahlqvist

I still don't get it. I used Wireshark and found out that the certificate s=
ent to the OCSP-responder is the CA-cert, not the client-cert to be validat=
ed! I am clueless.


Online Certificate Status Protocol
tbsRequest
requestList: 1 item
Request
reqCert
hashAlgorithm (SHA-1)
Algorithm Id: 1.3.14.3.2.26 (SHA-1)
issuerNameHash: 3183A656588CA87A8D663E5721EF4BC860D9EC8=
6
issuerKeyHash: 7C2E39233244E80F4E66F20D28FE40BEC2B6E2A0
serialNumber : 0x1bd40ed434d1da15a6003015024da46c <- TH=
IS IS THE SERIALNUMBER FOR THE CA-CERT

/ulfW

PS Is this mailing list active?=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache

am 17.08.2010 16:00:38 von Joe Orton

On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote:
> I still don't get it. I used Wireshark and found out that the
> certificate sent to the OCSP-responder is the CA-cert, not the
> client-cert to be validated! I am clueless.

The code tries to verify each cert in the client cert chain from issuing
CA down to the end-entity client cert with the OCSP responder - this is
expected behaviour.

The modssl-users@ was used for discussion of mod_ssl for Apache httpd
1.3. For discussion of OCSP in httpd 2.3 I'd recommend
users@httpd.apache.org - file bugs if you think the code is buggy.

http://issues.apache.org/bugzilla/

Regards, Joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache

am 18.08.2010 08:03:44 von Ulf Wahlqvist

VGhhbmtzLA0KDQpXaHkgZGlkbid0IEkgY2hlY2sgdGhhdD8gV2VsbCwgSSBt YWRlIGl0IHZhbGlk
YXRlIGNvcnJlY3RseSBieSBkb2luZyBhIHZlcnkgc3RyYW5nZSBhbmQgbm90 IHVzYWJsZSB3b3Jr
YXJvdW5kLiBJIGJlbGlldmUgc29tZXRoaW5nIGlzIGJyb2tlbi4NCkkgZm9s bG93ZWQgeW91ciBz
dWdnZXN0aW9uIGFuZCBwb3N0ZWQgYSBtb3JlIGNvbXBsZXRlIGVudHJ5IHRv IHRoZSB1c2Vyc0Bo
dHRwZC5hcGFjaGUub3JnIGxpc3QuIEkgd2lsbCBmaWxlIGEgYnVnIHJlcG9y dCBpZiBubyBvbmUg
Y2FuIHBvaW50IG91dCBhbnkgZXJyb3JzIEkgaGF2ZSBtYWRlLg0KDQovdWxm Vw0KDQoNCi0tLS0t
T3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBKb2UgT3J0b24gW21haWx0 bzpqb3J0b25AcmVk
aGF0LmNvbV0NClNlbnQ6IGRlbiAxNyBhdWd1c3RpIDIwMTAgMTY6MDENClRv OiBVbGYgV2FobHF2
aXN0DQpDYzogbW9kc3NsLXVzZXJzQG1vZHNzbC5vcmcNClN1YmplY3Q6IFJl OiBPQ1NQLXZhbGlk
YXRpb24gZmFpbHMgLSBXcm9uZyBjZXJ0IHBhc3NlZCB0byBPQ1NQIGJ5IEFw YWNoZQ0KDQpPbiBU
dWUsIEF1ZyAxNywgMjAxMCBhdCAxMjo0NzoyNlBNICswMjAwLCBVbGYgV2Fo bHF2aXN0IHdyb3Rl
Og0KPiBJIHN0aWxsIGRvbid0IGdldCBpdC4gSSB1c2VkIFdpcmVzaGFyayBh bmQgZm91bmQgb3V0
IHRoYXQgdGhlIA0KPiBjZXJ0aWZpY2F0ZSBzZW50IHRvIHRoZSBPQ1NQLXJl c3BvbmRlciBpcyB0
aGUgQ0EtY2VydCwgbm90IHRoZSANCj4gY2xpZW50LWNlcnQgdG8gYmUgdmFs aWRhdGVkISBJIGFt
IGNsdWVsZXNzLg0KDQpUaGUgY29kZSB0cmllcyB0byB2ZXJpZnkgZWFjaCBj ZXJ0IGluIHRoZSBj
bGllbnQgY2VydCBjaGFpbiBmcm9tIGlzc3VpbmcgQ0EgZG93biB0byB0aGUg ZW5kLWVudGl0eSBj
bGllbnQgY2VydCB3aXRoIHRoZSBPQ1NQIHJlc3BvbmRlciAtIHRoaXMgaXMg ZXhwZWN0ZWQgYmVo
YXZpb3VyLg0KDQpUaGUgbW9kc3NsLXVzZXJzQCB3YXMgdXNlZCBmb3IgZGlz Y3Vzc2lvbiBvZiBt
b2Rfc3NsIGZvciBBcGFjaGUgaHR0cGQgMS4zLiAgRm9yIGRpc2N1c3Npb24g b2YgT0NTUCBpbiBo
dHRwZCAyLjMgSSdkIHJlY29tbWVuZCB1c2Vyc0BodHRwZC5hcGFjaGUub3Jn IC0gZmlsZSBidWdz
IGlmIHlvdSB0aGluayB0aGUgY29kZSBpcyBidWdneS4NCg0KaHR0cDovL2lz c3Vlcy5hcGFjaGUu
b3JnL2J1Z3ppbGxhLw0KDQpSZWdhcmRzLCBKb2UNCg==
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org