OK. There is nothing special about any of the S/W I am using. I am running fedora core 7 with all the latest updates from the Fedora Project.
The OCSP responder is the openca-ocspd. The certificates are pretty basic. They have SKID, AKID, AIA, CKU and EKU. The EKU is for a TLS Server. Anything else? As I mentioned, I don't see any requests from firefox. Bruce On 11/1/07, Eddy Nigg (StartCom Ltd.) <[EMAIL PROTECTED]> wrote: > > I can try to help you if you can provide some more details about the > software you are using, examination of the certificate itself etc.You can > send me mail also off-list if you feel more comfortable... > > -- > Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org/> > Jabber: [EMAIL PROTECTED] Blog: Join the > Revolution!<http://blog.startcom.org/> > Phone: +1.213.341.0390 > > Bruce Keats wrote: > > Hi, > > I am having problems getting firefox 2.0.0.8 to send requests to the OCSP > responder listed in the Authority Info Access (AIA) extenstion within the > certificates. I am sure it is something fairly simple. > > On Firefox, I have enabled OCSP under "Edit"->"Preferences", the "Advanced" > tab, "Encryption" tab, "Verification" window. I selected the radio button > "Use OCSP to validate only certificates that specify an OCSP service URL". > > I have an HTTPS server that is sending a certificate that has the AIA > extension. When I try and setup the connection, I get the usual certificate > warnings and if I examine the server's certificate, I see it does have the > AIA extension. The AIA lists three OCSP responders: > Not Critical > OCSP: URI: http://server1:9000 > OCSP: URI: http://server2:9000 > OCSP: URI: http://server3:9000 > > When I check the OCSP responder, I don't see any logs indicating it received > an OCSP request from the host that I am running firefox on. > > I know the OCSP responder is working because it responds to requests from > the same host using openssl ocsp from the command line. The openssl ocsp > command is: > openssl ocsp -issuer /tmp/cacert.pem -cert /tmp/cert.pem -text -CAfile > /tmp/cacert.pem -url http://server1:9000 > > I have been trying different things over the past couple of days without > much success. I did some google searches without finding much. I had a > quick look at the source code and it looks like OCSP support is there. > > Any ideas why this isn't working for me? Any suggestions of things to try > because I am out of ideas? > > Bruce > > > > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto