Dear list,
regarding the same project as my last question, we are many steps further by
now.
Situation is as follows: Apache with mod_proxy and mod_ssl authenticates Client
by certificate including online OCSP request. OCSP uri is correct, response is
received, but then:
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154]
sending request to OCSP responder
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154]
OCSP response header: Date: Fri, 03 Jul 2009 11:37:54 GMT
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154]
OCSP response header: content-type: application/ocsp-response
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154]
OCSP response header: content-length: 1212
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154]
OCSP response header: Connection: close
[Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154]
OCSP response: got EOF
[Fri Jul 03 12:37:27 2009] [error] SSL Library Error: error:0D06B08E:asn1
encoding routines:ASN1_D2I_READ_BIO:not enough data
[Fri Jul 03 12:37:27 2009] [error] [client 172.30.64.154] failed to decode OCSP
response data
I have traced the failing call so far:
Apache ssl_util_ocsp.c:
response = d2i_OCSP_RESPONSE_bio(bio, NULL);
if (response == NULL) {
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"failed to decode OCSP response data");
}
OpenSSL 0.9.8d crypto/ocsp/ocsp.h:
#define d2i_OCSP_RESPONSE_bio(bp,p)
ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
Here I am really lost. What data is required to decode the response, what could
be missing? First ideas are corrupt certificates - sounds reasonable also,
because with a different client certificate issued by a different CA and
therefore validated against a different OCSP responder everything works okay.
But what certificates are required for decoding the response data here? The
OCSP responder's signing certificate?
Any help is highly appreciated, thanks in advance!
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
IT - beraten | planen | umsetzen | betreiben
__________________________________________________________________________
michael-wessel.de Informationstechnologie GmbH
Krausenstraße 50
30171 Hannover
Germany
fon (+49) 511 260 911-0 (DW -13)
fax (+49) 511 318 039-9
eMail n...@michael-wessel.de
web www.michael-wessel.de
Geschäftsführer: Michael Wessel Dipl. Phys.
Amtsgericht Hannover
HR B 59031
Alle Produktnamen und Firmennamen sind ggfs. eingetragene Warenzeichen und/oder
Markennamen der jeweiligen Hersteller.
Angebote freibleibend, Irrtümer und Druckfehler vorbehalten.
Lieferung vorbehaltlich ausreichender Selbstbelieferung.
© 2009 michael-wessel.de
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
