Bonsoir, Le 14/01/2014 19:44, socket a écrit :
Hey all, I am wondering if anyone here could point me in the right direction or even assist with a problem I have having.According to RFC 2560: All definitive response messages SHALL be digitally signed. The key used to sign the response MUST belong to one of the following: -- the CA who issued the certificate in question * -- a Trusted Responder whose public key is trusted by the requester* -- a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA [...] I am able to successfully validate cc1 and any other client certificates issued from ia1. However, when I try to use cc2, I get the following error: *SSL Library Error: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted* Looking at a post in the past: http://openssl.6102.n7.nabble.com/OCSP-basic-verify-root-ca-not-trusted-td24451.html it seems that the RFC should allow me to explicitly declare a trusted responder certificate for the client machine (in this case the client is the httpd 2.4 server). However it doesn't seem that mod_ssl allows me to declare this. I would like to know: Am i right in thinking I should be able to do this?
That's a strange question. You *want* to do this, so you have to find a software that allows this. If you randomly chose a software that doesn't, you may have some hard time explaining that this software *should* allow this.
Who currently supports mod_ssl and how would i present a change request?
mod_ssl is part of Apache HTTP server, so it's fully maintained by the Apache foundation, you should visit http://projects.apache.org/projects/http_server.html
Does mod_ssl currently support this feature unbenounced to me?
It seems it doesn't, but I only looked at the documentation, not the source code.
if not, would anyone be willing to teach me how to modify mod_ssl to support something like: *'SSLOCSPTrusted_responder /etc/pki/tls/certs/trustedresponder.pem'*
You'll have to learn how Apache modules are coded, add a configuration directive for mod_ssl, add a field in this module's config structure to hold the VA file, and use whatever this field contains when OCSP validation happens (that's where OpenSSL comes in). Optionally, you may find interesting to contribute your enhancement back to Apache httpd, or you'll have to apply your patch each time you want to upgrade your httpd version for security reasons.
I bought "The Apache Modules Book", by Nick Kew, and found it helpful for my projects. Working with OpenSSL since its very beginning helps a lot.
Other applications like openssl and corestreet desktop validation client allow you to explicitly configure a trusted responder cert. eg: openssl ocsp -CAfile rca2-issuer ia2 -cert cc2 -VAfile ocsp1 -url http://rsp.domain.com:80
That means the PKI core (OpenSSL) is able to do what you're looking for. That's a good start.
