Hummm, thanks for catching this.... this is not good news for us I dont believe anyone on this CA will care for this, but I will try anyway.
Regards Luis > From: ppatter...@carillonis.com > To: openssl-users@openssl.org > Subject: Re: OCSP_basic_verify:certificate verify error ( Verify > error:unable to get local issuer certificate) > Date: Fri, 16 Jul 2010 14:27:05 -0400 > > Hi Luis: > > See reply inline: > > On July 16, 2010 11:05:46 am Luis Neves wrote: > <snip> > > > > besides this, why I have to force httpd.conf with a SSLOCSPDefaultResponder > > directive? Shouldnt the mod_ssl code discover automatically the responder > > address from the client certificate itself?? > > > > From your other mail: > openssl x509 -in /home/oracle/lneves.pem -noout -text > <snip a bunch of certificate contents stuff> > > 2.5.29.46: > > 0h0f.d.b.`http://pki.cartaodecidadao.pt/publico/lrc/cc_sub- > >ec_cidadao_autenticacao_crl0003_delta_p0005.crl > > Authority Information Access: > > OCSP - URI:http://ocsp.auc.cartaodecidadao.pt/publico/ocsp > > The part that catches my eye is the incorrect decoding for > authorityInfoAccess. First of all, 2.5.29.46 is NOT AIA, but according to: > > http://www.alvestrand.no/objectid/2.5.29.46.html > > It is "Freshest CRL". This is NOT the OID for AIA, thus the application > should > NOT be able to find the OCSP information. Fix the CA that generated this > certificate to generate correct PKIX RFC5280 certificates, and at least part > of your problem should go away. > > Have fun. > > -- > Patrick Patterson > President and Chief PKI Architect, > Carillon Information Security Inc. > http://www.carillon.ca > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org _________________________________________________________________ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
