Hi everyone, I got stuck with OCSP configuration between PacketFence and Microsoft PKI, it seems to be something known which was discussed before (but with no solution provided) and I will highly appreciate any community assistance: https://www.mail-archive.com/search?l=packetfence-users%40lists.sourceforge.net&q=OSCP+not+functioning+to+MS+PKI&submit.x=0&submit.y=0 I have the same messages in radius logging on the PacketFence side.
So, when I enabled OCSP verification on PacketFence, authentication for each EAP TLS attempt was rejected with the following reason: Reason eap_tls: ocsp: Couldn't verify OCSP basic response I believe the problem is related to the issuer certificate chain which PacketFence uses for OCSP requests. Here’s what I found during my troubleshooting with the OpenSSL utility: When I use SubCA public certificate for OCSP request - I get an answer for certificate verification: root@packetfence1:~# openssl ocsp -issuer chain.pem -cert L-0060.pem -text -url http://wss12-mssca01.domain.lu/OCSP OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 0B3DA617D000A7D825136DE0A70B7B7BCBEB4290 Issuer Key Hash: 11C156C66A70F293C00FB31606BEC14D08F7DE17 Serial Number: 1B000000F0156DB6DE7BA445290000000000F0 Request Extensions: OCSP Nonce: 041005E25E6AC97612EC5C4BB7F773270494 Responder Error: unauthorized (6) When I use full chain for OCSP request - I got unauthorised response. root@packetfence1:~# openssl ocsp -issuer SubCA.pem -cert L-0060.pem -text -url http://wss12-mssca01.domain.lu/OCSP OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 0B3DA617D000A7D825136DE0A70B7B7BCBEB4290 Issuer Key Hash: AC797F76A888497C02E83E5B58529830D314C033 Serial Number: 1B000000F0156DB6DE7BA445290000000000F0 Request Extensions: OCSP Nonce: 0410BAF1E6A39CA4AF9ECFCE9EF17BB5FEDC OCSP Response Data: OCSP Response Status: successful (0x0) -----------output was ommited----------- -----END CERTIFICATE----- Response verify OK LISER-L-0060.pem: good This Update: Feb 16 13:56:02 2024 GMT Next Update: Jun 17 12:40:20 2024 GMT Microsoft PKI infrastructure is pretty common: RootCA is turned off, SubCA is responsible for certificate issuing, OCSP role is running on SubCA server. For EAP TLS authentications full certificate chain was imported to PacketFence. Any ideas how to force PacketFence to use SubCA certificate only for OCSP requests? -- Andrey Chernyakov Senior Network and Security Engineer email: chernya...@npsconsult.com phone: (+352) 621260657 NPS Consult S.A. L-5687, Dalheim Luxembourg
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
