OCSP_basic_verify:root ca not trusted

Tue, 28 Jul 2009 09:32:12 -0700 

Dear list,

another problem with the OCSP-handling in Apache/mod_ssl:

[Tue Jul 28 14:27:12 2009] [error] SSL Library Error: error:27069070:OCSP 
routines:OCSP_basic_verify:root ca not trusted
[Tue Jul 28 14:27:12 2009] [error] failed to verify the OCSP response!

Now, of course this could be just correct and there could be an error with the 
certificate store etc. But we get this error, when a client authenticates using 
certificate "b3", which is issued by "CA3" and the OCSP request is sent to 
"ocsp3". "CA3" is trusted for Apache and also present and symlinked in 
/etc/ssl/certs.

If the client authenticates using cert "b2", which is issued by "CA2" and the 
responder is "ocsp2", everything is fine. "CA2" is trusted in the same way as 
"CA3".

If the client authenticates using cert "b1", which is issued by "CA1" and the 
responder is "ocsp1", everything is fine. "CA1" is trusted in the same way as 
"CA2" and "CA3".


To verify the OCSP handling, we execute the requests manually:

openssl ocsp -issuer CA1 -serial <serial of b1> -uri ocsp1... --> GOOD, verify 
OK.

openssl ocsp -issuer CA2 -serial <serial of b2> -uri ocsp2... --> GOOD, verify 
OK.

openssl ocsp -issuer CA3 -serial <serial of b3> -uri ocsp3... --> GOOD, verify 
FAIL.

openssl ocsp -issuer CA1 -serial <serial of b3> -uri ocsp3... --> GOOD, verify 
OK!

So obviously the OCSP signer certificate of ocsp3 has been issued by CA1 (what 
we found in the OCSP response itself, of course).

What we did not get straight so far: How is the issuer certificate determined 
to validate the OCSP signer certificate against in the library functions (i.e. 
when Apache calls the OCSP verify functions)? What might be needed here to get 
OpenSSL validate against the correct issuer certificate?

Mit freundlichen Grüßen / Kind regards
 Natanael Mignon

IT-Dienstleistungen: beraten | planen | umsetzen | betreiben
__________________________________________________________________________
michael-wessel.de  Informationstechnologie GmbH
Krausenstraße 50
30171 Hannover
Germany
fon          (+49) 511 260 911-0 (DW: - 13)
fax          (+49) 511 318 039-9
eMail      n...@michael-wessel.de<mailto:n...@michael-wessel.de>
web        www.michael-wessel.de<http://www.michael-wessel.de/>
Bitte senden Sie wichtige E-Mails stets auch an 
serv...@michael-wessel.de<mailto:serv...@michael-wessel.de>, um 
sicherzustellen, dass diese zeitnah bearbeitet werden.

Geschäftsführer: Michael Wessel Dipl. Phys.
Amtsgericht Hannover
HR B 59031

Reply via email to