> Hi Joachim,
>
> there should be an option in etc/ocspd/ocspd.xml file. In particular
> search for the digestAlgorithm option. Is that sha1 ? If that is the
> case and you needed to change the code in libpki, than there's an
> error there that I need to fix.
>
> Just to summarize: you are using a RSA+SHA256 as the OCSP responder's
> certificate ?
>
> If that is the case, the hash algorithm used for signatures (not the
> OCSP hashing algorithm) when signing the response is taken from the
> server's certificate - that might be the cause for the sha256. I don't
> understand why the CISCO router would not be able to validate that!
> SHA1 is not supposed to be used for signatures anymore!!!
>
> For the certificate, I am not sure what the issue might be. I guess
> that you already checked the validity period of the certificate.
> Another thing you might try to check is you forgot the OCSPSigning
> option in the extendedKeyUsage.
>
> Cheers,
> Max
Hello,
I finally manage to install new OpenCA 1.1.1 and OCSPd 2.1.0 and test
OCSP with Cisco devices.
Verified, by default OCSPd 2.1.0 doesn't work with Cisco cause sha256:
../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(2717)
: E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported
But Max, my digestAlgorithm option is sha1:
<!-- Digest Algorithm to be used when building responses, currently
the standard specifies SHA1 as the only supported algorithm -->
<pki:digestAlgorithm>sha1</pki:digestAlgorithm>
And also I modified the OCSP Server extfile to generate the OCSP
certificate with sha1:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f0:cc:8c:0c:2a:8c:26:86:e9:aa
Signature Algorithm: sha1WithRSAEncryption
However OCSPd is still using sha256 when signing the response:
[pki_ocsp_resp.c:357]::DEBUG::OCSP RESP SIGN TK::Using Algorithm
sha256WithRSAEncryption
Don't know how to workaround this.
Another thing, I was thinking about opening a Cisco TAC Case now about
this issue, but this comment is in the ocspd.conf:
<!-- Digest Algorithm to be used when building responses, currently
the standard specifies SHA1 as the only supported algorithm -->
Is OCSP supposed to work with sha256 at all?
Regards,
Carlos Velasco
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
