You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2010/08/19 16:38:39 UTC
DO NOT REPLY [Bug 49784] New: OCSP-validation fails with cert that
validates correctly using OpenSSL directly
https://issues.apache.org/bugzilla/show_bug.cgi?id=49784
Summary: OCSP-validation fails with cert that validates
correctly using OpenSSL directly
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: PC
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: ulf.wahlqvist@cybercomgroup.com
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49784] OCSP-validation fails with cert that
validates correctly using OpenSSL directly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49784
Kaspar Brand <as...@velox.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Platform|PC |All
Resolution| |FIXED
OS/Version|Linux |All
--- Comment #6 from Kaspar Brand <as...@velox.ch> 2011-09-25 16:06:24 UTC ---
Fixed with r1059917 - #define MAX_AGE (360) is gone.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49784] OCSP-validation fails with cert that
validates correctly using OpenSSL directly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49784
--- Comment #1 from ulf wahlqvist <ul...@cybercomgroup.com> 2010-08-19 11:02:03 EDT ---
Created an attachment (id=25915)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25915)
Extracts from logfiles
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49784] OCSP-validation fails with cert that
validates correctly using OpenSSL directly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49784
--- Comment #5 from ulf wahlqvist <ul...@cybercomgroup.com> 2010-08-30 09:42:23 EDT ---
I checked with Telia and they only update when something changes, as I
suspected.
/ulfW
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49784] OCSP-validation fails with cert that
validates correctly using OpenSSL directly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49784
--- Comment #2 from ulf wahlqvist <ul...@cybercomgroup.com> 2010-08-19 11:04:21 EDT ---
Description:
Overview:
I'm trying to get Apache to do Client certificate verification with
OCSP-validation.
It works without OCSP, but OCSP-validation fails when I turn it on.
OCSP-validation works when using OpenSSL directly from command-line.
The error is "OCSP_check_validity:status too old", but that doesn't make sense
because the clocks are within 2 seconds.
Steps to Reproduce:
I use a cardbased certificate issued by Telia for use by locol government etc.
I'm not using the OCSP-responder address in the certificates "Authority Info
Access" (http://sithsocsp.trust.telia.com), because it is not reachable from my
system. However, the same responder is reachable using another address
(http://ocsp.trust.telia.com).
I have verified that if I use openssl directly from command line it will verify
OK.
>openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
>/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer
>-text -url http://ocsp.trust.telia.com
.
.
Response verify OK
/mnt/download/uwcert.cer: good
This Update: Jul 29 10:43:41 2010 GMT
Next Update: Jul 30 10:43:45 2010 GMT
Tests:
// Logfiles appended //
CASE 1/ If I set:
SSLOCSPDefaultResponder http://ocsp.trust.telia.com SSLOCSPOverrideResponder on
The validation will fail with "SSL Library Error: error:2707307F:OCSP
routines:OCSP_check_validity:status too old".
I have set GMT as the timezone and made sure that time is synchronized.
According to the log the time-stamp from my system and the OCSP-responder is
within 1 second.
CASE 2/ If I set:
SSLOCSPDefaultResponder http://ocsp.trust.telia.com
The validation of the first cert in the chain will succeed but the second will
fail with "(110)Connection timed out: could not connect to OCSP responder
'sithsocsp.trust.telia.com'". This is the expected behavior because my computer
does not have access to sithsocsp.trust.telia.com.
CASE 3/ If I set:
SSLOCSPDefaultResponder http://ocsp.trust.telia.com
- Try to authenticate - It will fail as in 2 above.
- Do NOT close the browser (IE, by the way)
- set: SSLOCSPDefaultResponder http://ocsp.trust.telia.com
SSLOCSPOverrideResponder on
- restart using apachectl graceful
- Retry to authenticate - It will now SUCCEED!
I discovered this by accident, but it is reproducible.
Configuration:
[root@fedoragui crl]# uname -a
Linux fedoragui.mydomain.com 2.6.33.5-112.fc13.i686 #1 SMP Thu May 27 03:11:56
UTC 2010 i686 i686 i386 GNU/Linux
[root@fedoragui logs]# httpd -v
Server version: Apache/2.3.6 (Unix)
Server built: Jul 16 2010 15:31:39
[root@fedoragui logs]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010
Apache configuration:
./configure --enable-ssl
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49784] OCSP-validation fails with cert that
validates correctly using OpenSSL directly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49784
--- Comment #3 from Dr Stephen Henson <st...@openssl.org> 2010-08-26 13:11:25 EDT ---
(In reply to comment #2)
>
> I have verified that if I use openssl directly from command line it will verify
> OK.
> >openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
> >/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer
> >-text -url http://ocsp.trust.telia.com
> .
> .
> Response verify OK
> /mnt/download/uwcert.cer: good
> This Update: Jul 29 10:43:41 2010 GMT
> Next Update: Jul 30 10:43:45 2010 GMT
>
The (currently fixed) parameters set in Apache for OCSP response validation
require that This Update is not more than 10 minutes in the past. Check the
command line switch -status_age 360 with openssl and see if you get the same
error.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49784] OCSP-validation fails with cert that
validates correctly using OpenSSL directly
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49784
--- Comment #4 from ulf wahlqvist <ul...@cybercomgroup.com> 2010-08-27 11:23:50 EDT ---
(In reply to comment #3)
> (In reply to comment #2)
> >
> > I have verified that if I use openssl directly from command line it will verify
> > OK.
> > >openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
> > >/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer
> > >-text -url http://ocsp.trust.telia.com
> > .
> > .
> > Response verify OK
> > /mnt/download/uwcert.cer: good
> > This Update: Jul 29 10:43:41 2010 GMT
> > Next Update: Jul 30 10:43:45 2010 GMT
> >
>
> The (currently fixed) parameters set in Apache for OCSP response validation
> require that This Update is not more than 10 minutes in the past. Check the
> command line switch -status_age 360 with openssl and see if you get the same
> error.
You where right - that is the problem:
[root@fedoragui crl]# openssl ocsp -issuer
/usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text
-url http://ocsp.trust.telia.com -status_age 360
.
.
.
Response verify OK
/mnt/download/uwcert.cer: WARNING: Status times invalid.
3079378652:error:2707307F:OCSP routines:OCSP_check_validity:status too
old:ocsp_cl.c:338:
good
This Update: Aug 27 14:13:55 2010 GMT
Next Update: Aug 28 14:13:58 2010 GMT
[root@fedoragui crl]# date
Fri Aug 27 14:49:36 GMT 2010
I then tested with -validity_period 60 and it works:
[root@fedoragui crl]# openssl ocsp -issuer
/usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text
-url http://ocsp.trust.telia.com -validity_period 60
.
.
.
Response verify OK
/mnt/download/uwcert.cer: good
This Update: Aug 27 14:13:55 2010 GMT
Next Update: Aug 28 14:13:58 2010 GMT
[root@fedoragui crl]# openssl ocsp -issuer
/usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text
-url http://ocsp.trust.telia.com -validity_period 60
I thought that -status_age was the same as -validity_period, but I now suspect
that -validity_period is how old the response is and -status_age is "when the
crl-list that the responder is using was timestamped". I then waited until I
got another "This Update"-timestamp and got the successful verification and
also SUCCEEDED to AUTHENTICATE in my browser.
[root@fedoragui crl]# openssl ocsp -issuer
/usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text
-url http://ocsp.trust.telia.com -status_age 360
Response verify OK
/mnt/download/uwcert.cer: good
This Update: Aug 27 14:51:18 2010 GMT
Next Update: Aug 28 14:51:21 2010 GMT
[root@fedoragui crl]# date
Fri Aug 27 14:55:07 GMT 2010
The 10 minutes limit is definitely a problem for me, because "This update" is
updated infrequently:
This Update: Aug 27 13:55:10 2010 GMT
This Update: Aug 27 14:13:55 2010 GMT
This Update: Aug 27 14:51:18 2010 GMT
I guess that it is updated "on demand", when something changes and not
periodically.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org