Re: Problems with getting OCSP to work with firefox 2.0.0.8 (Fedora Core 7)
Thanks for all the help. It turns out the CA cert had to be reinstalled. I had loaded a PKCS12 cert that included the certificate chain. When I checked the Authorities, the CA was there, so it was loaded when I loaded the PKCS12 user cert. I deleted the CA then inported it again. When I imported it, I made sure the check box Trust this CA to identify web sites was checked. Now when I establish the connection, I no longer see the warning. As well, firefox is sending out the OCSP request and is getting the OCSP response. Thanks, Bruce On 11/2/07, Eddy Nigg (StartCom Ltd.) [EMAIL PROTECTED] wrote: Now I don't know much more, except as Nelson already mentioned that the CA root might not be installed in the browser. If the problem persist, an actual certificate and domain responder location etc is needed in order to get a better picture. Bruce Keats wrote: OK. There is nothing special about any of the S/W I am using. I am running fedora core 7 with all the latest updates from the Fedora Project. The OCSP responder is the openca-ocspd. The certificates are pretty basic. They have SKID, AKID, AIA, CKU and EKU. The EKU is for a TLS Server. Anything else? As I mentioned, I don't see any requests from firefox. Bruce On 11/1/07, Eddy Nigg (StartCom Ltd.) [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I can try to help you if you can provide some more details about the software you are using, examination of the certificate itself etc.You can send me mail also off-list if you feel more comfortable... -- RegardsSigner: Eddy Nigg, StartCom Ltd. http://www.startcom.org/ http://www.startcom.org/ Jabber: [EMAIL PROTECTED] Blog: Join the Revolution!http://blog.startcom.org/ http://blog.startcom.org/ Phone: +1.213.341.0390 Bruce Keats wrote: Hi, I am having problems getting firefox 2.0.0.8 to send requests to the OCSP responder listed in the Authority Info Access (AIA) extenstion within the certificates. I am sure it is something fairly simple. On Firefox, I have enabled OCSP under Edit-Preferences, the Advanced tab, Encryption tab, Verification window. I selected the radio button Use OCSP to validate only certificates that specify an OCSP service URL. I have an HTTPS server that is sending a certificate that has the AIA extension. When I try and setup the connection, I get the usual certificate warnings and if I examine the server's certificate, I see it does have the AIA extension. The AIA lists three OCSP responders: Not Critical OCSP: URI: http://server1:9000 OCSP: URI: http://server2:9000 OCSP: URI: http://server3:9000 When I check the OCSP responder, I don't see any logs indicating it received an OCSP request from the host that I am running firefox on. I know the OCSP responder is working because it responds to requests from the same host using openssl ocsp from the command line. The openssl ocsp command is: openssl ocsp -issuer /tmp/cacert.pem -cert /tmp/cert.pem -text -CAfile /tmp/cacert.pem -url http://server1:9000 I have been trying different things over the past couple of days without much success. I did some google searches without finding much. I had a quick look at the source code and it looks like OCSP support is there. Any ideas why this isn't working for me? Any suggestions of things to try because I am out of ideas? Bruce ___ dev-tech-crypto mailing [EMAIL PROTECTED]://lists.mozilla.org/listinfo/dev-tech-crypto -- RegardsSigner: Eddy Nigg, StartCom Ltd. http://www.startcom.org/ Jabber: [EMAIL PROTECTED] Blog: Join the Revolution!http://blog.startcom.org/ Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problems with getting OCSP to work with firefox 2.0.0.8 (Fedora Core 7)
Now I don't know much more, except as Nelson already mentioned that the CA root might not be installed in the browser. If the problem persist, an actual certificate and domain responder location etc is needed in order to get a better picture. Bruce Keats wrote: OK. There is nothing special about any of the S/W I am using. I am running fedora core 7 with all the latest updates from the Fedora Project. The OCSP responder is the openca-ocspd. The certificates are pretty basic. They have SKID, AKID, AIA, CKU and EKU. The EKU is for a TLS Server. Anything else? As I mentioned, I don't see any requests from firefox. Bruce On 11/1/07, Eddy Nigg (StartCom Ltd.) [EMAIL PROTECTED] wrote: I can try to help you if you can provide some more details about the software you are using, examination of the certificate itself etc.You can send me mail also off-list if you feel more comfortable... -- RegardsSigner: Eddy Nigg, StartCom Ltd. http://www.startcom.org/ Jabber: [EMAIL PROTECTED] Blog: Join the Revolution!http://blog.startcom.org/ Phone: +1.213.341.0390 Bruce Keats wrote: Hi, I am having problems getting firefox 2.0.0.8 to send requests to the OCSP responder listed in the Authority Info Access (AIA) extenstion within the certificates. I am sure it is something fairly simple. On Firefox, I have enabled OCSP under Edit-Preferences, the Advanced tab, Encryption tab, Verification window. I selected the radio button Use OCSP to validate only certificates that specify an OCSP service URL. I have an HTTPS server that is sending a certificate that has the AIA extension. When I try and setup the connection, I get the usual certificate warnings and if I examine the server's certificate, I see it does have the AIA extension. The AIA lists three OCSP responders: Not Critical OCSP: URI: http://server1:9000 OCSP: URI: http://server2:9000 OCSP: URI: http://server3:9000 When I check the OCSP responder, I don't see any logs indicating it received an OCSP request from the host that I am running firefox on. I know the OCSP responder is working because it responds to requests from the same host using openssl ocsp from the command line. The openssl ocsp command is: openssl ocsp -issuer /tmp/cacert.pem -cert /tmp/cert.pem -text -CAfile /tmp/cacert.pem -url http://server1:9000 I have been trying different things over the past couple of days without much success. I did some google searches without finding much. I had a quick look at the source code and it looks like OCSP support is there. Any ideas why this isn't working for me? Any suggestions of things to try because I am out of ideas? Bruce ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problems with getting OCSP to work with firefox 2.0.0.8 (Fedora Core 7)
I can try to help you if you can provide some more details about the software you are using, examination of the certificate itself etc.You can send me mail also off-list if you feel more comfortable... -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 Bruce Keats wrote: Hi, I am having problems getting firefox 2.0.0.8 to send requests to the OCSP responder listed in the Authority Info Access (AIA) extenstion within the certificates. I am sure it is something fairly simple. On Firefox, I have enabled OCSP under Edit-Preferences, the Advanced tab, Encryption tab, Verification window. I selected the radio button Use OCSP to validate only certificates that specify an OCSP service URL. I have an HTTPS server that is sending a certificate that has the AIA extension. When I try and setup the connection, I get the usual certificate warnings and if I examine the server's certificate, I see it does have the AIA extension. The AIA lists three OCSP responders: Not Critical OCSP: URI: http://server1:9000 OCSP: URI: http://server2:9000 OCSP: URI: http://server3:9000 When I check the OCSP responder, I don't see any logs indicating it received an OCSP request from the host that I am running firefox on. I know the OCSP responder is working because it responds to requests from the same host using openssl ocsp from the command line. The openssl ocsp command is: openssl ocsp -issuer /tmp/cacert.pem -cert /tmp/cert.pem -text -CAfile /tmp/cacert.pem -url http://server1:9000 I have been trying different things over the past couple of days without much success. I did some google searches without finding much. I had a quick look at the source code and it looks like OCSP support is there. Any ideas why this isn't working for me? Any suggestions of things to try because I am out of ideas? Bruce ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problems with getting OCSP to work with firefox 2.0.0.8 (Fedora Core 7)
OK. There is nothing special about any of the S/W I am using. I am running fedora core 7 with all the latest updates from the Fedora Project. The OCSP responder is the openca-ocspd. The certificates are pretty basic. They have SKID, AKID, AIA, CKU and EKU. The EKU is for a TLS Server. Anything else? As I mentioned, I don't see any requests from firefox. Bruce On 11/1/07, Eddy Nigg (StartCom Ltd.) [EMAIL PROTECTED] wrote: I can try to help you if you can provide some more details about the software you are using, examination of the certificate itself etc.You can send me mail also off-list if you feel more comfortable... -- RegardsSigner: Eddy Nigg, StartCom Ltd. http://www.startcom.org/ Jabber: [EMAIL PROTECTED] Blog: Join the Revolution!http://blog.startcom.org/ Phone: +1.213.341.0390 Bruce Keats wrote: Hi, I am having problems getting firefox 2.0.0.8 to send requests to the OCSP responder listed in the Authority Info Access (AIA) extenstion within the certificates. I am sure it is something fairly simple. On Firefox, I have enabled OCSP under Edit-Preferences, the Advanced tab, Encryption tab, Verification window. I selected the radio button Use OCSP to validate only certificates that specify an OCSP service URL. I have an HTTPS server that is sending a certificate that has the AIA extension. When I try and setup the connection, I get the usual certificate warnings and if I examine the server's certificate, I see it does have the AIA extension. The AIA lists three OCSP responders: Not Critical OCSP: URI: http://server1:9000 OCSP: URI: http://server2:9000 OCSP: URI: http://server3:9000 When I check the OCSP responder, I don't see any logs indicating it received an OCSP request from the host that I am running firefox on. I know the OCSP responder is working because it responds to requests from the same host using openssl ocsp from the command line. The openssl ocsp command is: openssl ocsp -issuer /tmp/cacert.pem -cert /tmp/cert.pem -text -CAfile /tmp/cacert.pem -url http://server1:9000 I have been trying different things over the past couple of days without much success. I did some google searches without finding much. I had a quick look at the source code and it looks like OCSP support is there. Any ideas why this isn't working for me? Any suggestions of things to try because I am out of ideas? Bruce ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problems with getting OCSP to work with firefox 2.0.0.8 (Fedora Core 7)
Bruce Keats wrote: I have an HTTPS server that is sending a certificate that has the AIA extension. When I try and setup the connection, I get the usual certificate warnings That's the reason you get no OCSP checks. OCSP checking only occurs if the cert appears to be valid in all other respects. If the cert fails any validity checks, the OCSP check doesn't occur. When I check the OCSP responder, I don't see any logs indicating it received an OCSP request from the host that I am running firefox on. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto