> Hi Joachim, > > there should be an option in etc/ocspd/ocspd.xml file. In particular > search for the digestAlgorithm option. Is that sha1 ? If that is the > case and you needed to change the code in libpki, than there's an > error there that I need to fix. > > Just to summarize: you are using a RSA+SHA256 as the OCSP responder's > certificate ? > > If that is the case, the hash algorithm used for signatures (not the > OCSP hashing algorithm) when signing the response is taken from the > server's certificate - that might be the cause for the sha256. I don't > understand why the CISCO router would not be able to validate that! > SHA1 is not supposed to be used for signatures anymore!!! > > For the certificate, I am not sure what the issue might be. I guess > that you already checked the validity period of the certificate. > Another thing you might try to check is you forgot the OCSPSigning > option in the extendedKeyUsage. > > Cheers, > Max
Hello, I finally manage to install new OpenCA 1.1.1 and OCSPd 2.1.0 and test OCSP with Cisco devices. Verified, by default OCSPd 2.1.0 doesn't work with Cisco cause sha256: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(2717) : E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported But Max, my digestAlgorithm option is sha1: <!-- Digest Algorithm to be used when building responses, currently the standard specifies SHA1 as the only supported algorithm --> <pki:digestAlgorithm>sha1</pki:digestAlgorithm> And also I modified the OCSP Server extfile to generate the OCSP certificate with sha1: Certificate: Data: Version: 3 (0x2) Serial Number: f0:cc:8c:0c:2a:8c:26:86:e9:aa Signature Algorithm: sha1WithRSAEncryption However OCSPd is still using sha256 when signing the response: [pki_ocsp_resp.c:357]::DEBUG::OCSP RESP SIGN TK::Using Algorithm sha256WithRSAEncryption Don't know how to workaround this. Another thing, I was thinking about opening a Cisco TAC Case now about this issue, but this comment is in the ocspd.conf: <!-- Digest Algorithm to be used when building responses, currently the standard specifies SHA1 as the only supported algorithm --> Is OCSP supposed to work with sha256 at all? Regards, Carlos Velasco ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users