I have now verified that if I use openssl directly from command line it will verify OK. Apparently there is no need for signing the request.
>openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile >/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text >-url http://ocsp.trust.telia.com . . . . Response verify OK /mnt/download/uwcert.cer: good This Update: Jul 29 10:43:41 2010 GMT Next Update: Jul 30 10:43:45 2010 GMT /ulfW -----Original Message----- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of Ulf Wahlqvist Sent: den 27 juli 2010 16:43 To: modssl-users@modssl.org Subject: OCSP-validation fails Hi I'm trying to get Apache to do Client certificate verification with OCSP-validation. It works without OCSP, but OCSP-validation fails when I turn it on. The error is "OCSP_check_validity:status too old", but that doesn't make sense because the clocks are within 2 seconds. The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response says "Mon, 26 Jul 2010 13:50:05 GMT" which is the same time. //// Can there be a problem with comparing timestamps? A more likely problem might be that the OCSP-responder require a SIGNED message, but I don't understand how to get Apache to sign it. Some European OCSP-responders seems to accept only signed requests and I'm trying to find out if this is one of them. //// Will Apache be able to sign OCSP-requests ( In that case - How do I pass the cert/key) ? ** my config ************************************************************************************************************************************* [r...@fedoragui logs]# httpd -v Server version: Apache/2.3.6 (Unix) Server built: Jul 16 2010 15:31:39 [r...@fedoragui logs]# openssl version OpenSSL 1.0.0a-fips 1 Jun 2010 ./configure --enable-ssl ** error_log ************************************************************************************************************************************* [Mon Jul 26 15:50:05.782378 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Connection to child 193 established (server fedoragui.mydomain.com:443) [Mon Jul 26 15:50:06.461652 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(79): [client 10.0.2.2:2112] connecting to OCSP responder 'ocsp.trust.telia.com' [Mon Jul 26 15:50:06.466167 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(105): [client 10.0.2.2:2112] sending request to OCSP responder [Mon Jul 26 15:50:06.488292 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Date: Mon, 26 Jul 2010 13:50:05 GMT [Mon Jul 26 15:50:06.493946 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Server: Apache [Mon Jul 26 15:50:06.494352 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Length: 1264 [Mon Jul 26 15:50:06.494828 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Connection: close [Mon Jul 26 15:50:06.495071 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Type: application/ocsp-response [Mon Jul 26 15:50:06.495303 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(252): [client 10.0.2.2:2112] OCSP response: got 1264 bytes, 1264 total [Mon Jul 26 15:50:06.498272 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(235): [client 10.0.2.2:2112] OCSP response: got EOF [Mon Jul 26 15:50:06.500184 2010] [error] [pid 9164:tid 3053448048] SSL Library Error: error:2707307F:OCSP routines:OCSP_check_validity:status too old [Mon Jul 26 15:50:06.504012 2010] [error] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Certificate Verification: Error (50): application verification failure [Mon Jul 26 15:50:06.504430 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] SSL library error 1 in handshake (server fedoragui.mydomain.com:443) /ulfW ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org
