Dear list, regarding the same project as my last question, we are many steps further by now.
Situation is as follows: Apache with mod_proxy and mod_ssl authenticates Client by certificate including online OCSP request. OCSP uri is correct, response is received, but then: [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(104): [client 172.30.64.154] sending request to OCSP responder [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Date: Fri, 03 Jul 2009 11:37:54 GMT [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-type: application/ocsp-response [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: content-length: 1212 [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client 172.30.64.154] OCSP response header: Connection: close [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(234): [client 172.30.64.154] OCSP response: got EOF [Fri Jul 03 12:37:27 2009] [error] SSL Library Error: error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data [Fri Jul 03 12:37:27 2009] [error] [client 172.30.64.154] failed to decode OCSP response data I have traced the failing call so far: Apache ssl_util_ocsp.c: response = d2i_OCSP_RESPONSE_bio(bio, NULL); if (response == NULL) { ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "failed to decode OCSP response data"); } OpenSSL 0.9.8d crypto/ocsp/ocsp.h: #define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p) Here I am really lost. What data is required to decode the response, what could be missing? First ideas are corrupt certificates - sounds reasonable also, because with a different client certificate issued by a different CA and therefore validated against a different OCSP responder everything works okay. But what certificates are required for decoding the response data here? The OCSP responder's signing certificate? Any help is highly appreciated, thanks in advance! Mit freundlichen Grüßen / Kind regards Natanael Mignon IT - beraten | planen | umsetzen | betreiben __________________________________________________________________________ michael-wessel.de Informationstechnologie GmbH Krausenstraße 50 30171 Hannover Germany fon (+49) 511 260 911-0 (DW -13) fax (+49) 511 318 039-9 eMail n...@michael-wessel.de web www.michael-wessel.de Geschäftsführer: Michael Wessel Dipl. Phys. Amtsgericht Hannover HR B 59031 Alle Produktnamen und Firmennamen sind ggfs. eingetragene Warenzeichen und/oder Markennamen der jeweiligen Hersteller. Angebote freibleibend, Irrtümer und Druckfehler vorbehalten. Lieferung vorbehaltlich ausreichender Selbstbelieferung. © 2009 michael-wessel.de ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org