Am Thu, May 09, 2024 at 08:39:05PM +0000 schrieb Alvarez, Angelo CIV USN JOINT TYPHOON WARCEN (USA) via FreeIPA-users: > Aloha. We are trying to get OCSP verification working with RHEL 8 SSSD. The > OCSP responder CA is not in the trust chain of the CA that issued the smart > card certificates. I was able to get openssl ocsp verification to work > using "-verify_other" and "-trust_other" options. > > [root@c27nmgmtjtprlh1 PKI]# openssl ocsp -issuer DOD_ID_CA-63.pem > -verify_other NAWEPRLHRD12.pem -trust_other -cert ~alvareza/alvarez.pem -url > http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx -respout -text > WARNING: no nonce in response > Response verify OK > /home/alvareza/alvarez.pem: good > This Update: May 9 00:00:00 2024 GMT > Next Update: May 15 06:16:18 2024 GMT > > > > I tried to perform OCSP verification with the SSSD p11_child helper, but it > does not work. Does anyone know if the "Direct Trust" model for OCSP works > with RHEL 8 SSSD? > [root@c27nmgmtjtprlh1 pki]# /usr/libexec/sssd/p11_child --dumpable=1 > --debug-microseconds=0 --debug-timestamps=1 --debug-fd=22 --debug-level=9 > --verification --verify > ocsp_dgst=sha1,ocsp_default_responder=http://repeater1.xxxxx.xxxxx.xxxx.xxxx > .xxxx --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --certificate=$(cat
Hi, have you tried to add the CA certificates for the OCSP responder (I guess the content of NAWEPRLHRD12.pem to /etc/sssd/pki/sssd_auth_ca_db.pem together with the CA certificates for the user certificate? bye, Sumit > /home/alvareza/alvarez.pem | grep -v BEGIN | grep -v END | tr -d "\n") > set_debug_file_from_fd failed. > (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0400): p11_child > started. > (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running in > [verify] mode. > (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running with > effective IDs: [0][0]. > (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running with > real IDs [0][0]. > (2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts] > (0x4000): Using sha1 for OCSP. > (2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts] > (0x4000): Using OCSP default responder > [http://repeater1.prlh.nadsuswe.nads.navy.mil] > (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x4000): Using OCSP > URL [http://repeater1.prlh.nadsuswe.nads.navy.mil]. > (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): No nonce in > OCSP response. This might indicate a replay attack or an OCSP responder > which does not support nonces. Accepting response. > (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): > OCSP_basic_verify() failed to verify OCSP response. > (2024-05-09 8:07:24): [p11_child[2817468]] [do_verification] (0x0040): > do_ocsp failed. > (2024-05-09 8:07:24): [p11_child[2817468]] [do_work] (0x0400): Certificate > is NOT valid. > 22 > (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0020): p11_child > failed (22) > > > > v/r > > > > Angelo Alvarez, CISSP > > N6 > > Joint Typhoon Warning Center > > Work: 808.471.3645 > > Mobile: 808.389.9474 > > Email: angelo.alva...@navy.mil <mailto:angelo.alva...@navy.mil> > > SiPR Email: angelo.alva...@navy.smil.mil > <mailto:angelo.alva...@navy.smil.mil> > > > > "!No contaban on mi astucia!" - El Chapulin Colorado > > > > > > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
