I am using OCSP software which pre-signs all certificate information.
Therefor if a nonce check is requested, my responders are not able to
provide the nonce back.
Knowing this I grabbed apache 2.4.4 from source and modified
"/usr/local/src/httpd-2.4.4/modules/ssl/ssl_engine_ocsp.c"
I commented out the following function:
if (rc == V_OCSP_CERTSTATUS_GOOD) {
if (OCSP_check_nonce(request, basicResponse) != 1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
"Bad OCSP responder answer (bad nonce)");
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
}
and I feel that it successfully resolved that problem.
The current issue i have is that my apache logs still say:
[ssl:error] [pid 24782:tid 140511052035840] AH01925: failed to verify the
OCSP response
[ssl:error] [pid 24782:tid 140511052035840] SSL Library Error:
error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error
(Verify error:unable to get local issuer certificate
I was able to resolve this by commenting out the following function:
if (rc == V_OCSP_CERTSTATUS_GOOD) {
/* TODO: allow flags configuration. */
if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
"failed to verify the OCSP response");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
}
I don't fully understand why it works. Can anyone here comment on what risks
I am taking by doing these 2 modification, or comment on a better solution
to allow apache 2.4.4 work with my OCSP system.
--
View this message in context:
http://openssl.6102.n7.nabble.com/OCSP-basic-verify-tp44881.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
