https://issues.apache.org/bugzilla/show_bug.cgi?id=49784
--- Comment #2 from ulf wahlqvist <[email protected]> 2010-08-19 11:04:21 EDT --- Description: Overview: I'm trying to get Apache to do Client certificate verification with OCSP-validation. It works without OCSP, but OCSP-validation fails when I turn it on. OCSP-validation works when using OpenSSL directly from command-line. The error is "OCSP_check_validity:status too old", but that doesn't make sense because the clocks are within 2 seconds. Steps to Reproduce: I use a cardbased certificate issued by Telia for use by locol government etc. I'm not using the OCSP-responder address in the certificates "Authority Info Access" (http://sithsocsp.trust.telia.com), because it is not reachable from my system. However, the same responder is reachable using another address (http://ocsp.trust.telia.com). I have verified that if I use openssl directly from command line it will verify OK. >openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile >/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer >-text -url http://ocsp.trust.telia.com . . Response verify OK /mnt/download/uwcert.cer: good This Update: Jul 29 10:43:41 2010 GMT Next Update: Jul 30 10:43:45 2010 GMT Tests: // Logfiles appended // CASE 1/ If I set: SSLOCSPDefaultResponder http://ocsp.trust.telia.com SSLOCSPOverrideResponder on The validation will fail with "SSL Library Error: error:2707307F:OCSP routines:OCSP_check_validity:status too old". I have set GMT as the timezone and made sure that time is synchronized. According to the log the time-stamp from my system and the OCSP-responder is within 1 second. CASE 2/ If I set: SSLOCSPDefaultResponder http://ocsp.trust.telia.com The validation of the first cert in the chain will succeed but the second will fail with "(110)Connection timed out: could not connect to OCSP responder 'sithsocsp.trust.telia.com'". This is the expected behavior because my computer does not have access to sithsocsp.trust.telia.com. CASE 3/ If I set: SSLOCSPDefaultResponder http://ocsp.trust.telia.com - Try to authenticate - It will fail as in 2 above. - Do NOT close the browser (IE, by the way) - set: SSLOCSPDefaultResponder http://ocsp.trust.telia.com SSLOCSPOverrideResponder on - restart using apachectl graceful - Retry to authenticate - It will now SUCCEED! I discovered this by accident, but it is reproducible. Configuration: [r...@fedoragui crl]# uname -a Linux fedoragui.mydomain.com 2.6.33.5-112.fc13.i686 #1 SMP Thu May 27 03:11:56 UTC 2010 i686 i686 i386 GNU/Linux [r...@fedoragui logs]# httpd -v Server version: Apache/2.3.6 (Unix) Server built: Jul 16 2010 15:31:39 [r...@fedoragui logs]# openssl version OpenSSL 1.0.0a-fips 1 Jun 2010 Apache configuration: ./configure --enable-ssl -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
