OCSP_basic_verify:root ca not trusted

2009-07-28 Thread Natanael Mignon - michael-wessel . de 
Dear list,

another problem with the OCSP-handling in Apache/mod_ssl:

[Tue Jul 28 14:27:12 2009] [error] SSL Library Error: error:27069070:OCSP 
routines:OCSP_basic_verify:root ca not trusted
[Tue Jul 28 14:27:12 2009] [error] failed to verify the OCSP response!

Now, of course this could be just correct and there could be an error with the 
certificate store etc. But we get this error, when a client authenticates using 
certificate "b3", which is issued by "CA3" and the OCSP request is sent to 
"ocsp3". "CA3" is trusted for Apache and also present and symlinked in 
/etc/ssl/certs.

If the client authenticates using cert "b2", which is issued by "CA2" and the 
responder is "ocsp2", everything is fine. "CA2" is trusted in the same way as 
"CA3".

If the client authenticates using cert "b1", which is issued by "CA1" and the 
responder is "ocsp1", everything is fine. "CA1" is trusted in the same way as 
"CA2" and "CA3".


To verify the OCSP handling, we execute the requests manually:

openssl ocsp -issuer CA1 -serial  -uri ocsp1... --> GOOD, verify 
OK.

openssl ocsp -issuer CA2 -serial  -uri ocsp2... --> GOOD, verify 
OK.

openssl ocsp -issuer CA3 -serial  -uri ocsp3... --> GOOD, verify 
FAIL.

openssl ocsp -issuer CA1 -serial  -uri ocsp3... --> GOOD, verify 
OK!

So obviously the OCSP signer certificate of ocsp3 has been issued by CA1 (what 
we found in the OCSP response itself, of course).

What we did not get straight so far: How is the issuer certificate determined 
to validate the OCSP signer certificate against in the library functions (i.e. 
when Apache calls the OCSP verify functions)? What might be needed here to get 
OpenSSL validate against the correct issuer certificate?

Mit freundlichen Grüßen / Kind regards
 Natanael Mignon

IT-Dienstleistungen: beraten | planen | umsetzen | betreiben
__
michael-wessel.de  Informationstechnologie GmbH
Krausenstraße 50
30171 Hannover
Germany
fon  (+49) 511 260 911-0 (DW: - 13)
fax  (+49) 511 318 039-9
eMail  n...@michael-wessel.de
webwww.michael-wessel.de
Bitte senden Sie wichtige E-Mails stets auch an 
serv...@michael-wessel.de, um 
sicherzustellen, dass diese zeitnah bearbeitet werden.

Geschäftsführer: Michael Wessel Dipl. Phys.
Amtsgericht Hannover
HR B 59031

Re: OCSP_basic_verify:root ca not trusted

2009-07-28 Thread Dr. Stephen Henson 
On Tue, Jul 28, 2009, Natanael Mignon - michael-wessel.de wrote:

> Dear list,
> 
> another problem with the OCSP-handling in Apache/mod_ssl:
> 
> [Tue Jul 28 14:27:12 2009] [error] SSL Library Error: error:27069070:OCSP 
> routines:OCSP_basic_verify:root ca not trusted
> [Tue Jul 28 14:27:12 2009] [error] failed to verify the OCSP response!
> 
> Now, of course this could be just correct and there could be an error with 
> the certificate store etc. But we get this error, when a client authenticates 
> using certificate "b3", which is issued by "CA3" and the OCSP request is sent 
> to "ocsp3". "CA3" is trusted for Apache and also present and symlinked in 
> /etc/ssl/certs.
> 
> If the client authenticates using cert "b2", which is issued by "CA2" and the 
> responder is "ocsp2", everything is fine. "CA2" is trusted in the same way as 
> "CA3".
> 
> If the client authenticates using cert "b1", which is issued by "CA1" and the 
> responder is "ocsp1", everything is fine. "CA1" is trusted in the same way as 
> "CA2" and "CA3".
> 
> 
> To verify the OCSP handling, we execute the requests manually:
> 
> openssl ocsp -issuer CA1 -serial  -uri ocsp1... --> GOOD, 
> verify OK.
> 
> openssl ocsp -issuer CA2 -serial  -uri ocsp2... --> GOOD, 
> verify OK.
> 
> openssl ocsp -issuer CA3 -serial  -uri ocsp3... --> GOOD, 
> verify FAIL.
> 
> openssl ocsp -issuer CA1 -serial  -uri ocsp3... --> GOOD, 
> verify OK!
> 
> So obviously the OCSP signer certificate of ocsp3 has been issued by CA1 
> (what we found in the OCSP response itself, of course).
> 
> What we did not get straight so far: How is the issuer certificate determined 
> to validate the OCSP signer certificate against in the library functions 
> (i.e. when Apache calls the OCSP verify functions)? What might be needed here 
> to get OpenSSL validate against the correct issuer certificate?
> 

I'm not sure what the problem is here. According to your description the
responder ocsp3 is misconfigured and OpenSSL is behaving as you would expect.

That error is due to the way OCSP responses are verified. It first tries to
see if the response should be automatically accepted (responder certificate is
issued by the CA or is the CA itself) if that fails it checks to see if the
certificate is allowed to sign responses for *any* CA, so called "global
responders". If thet fails you get the root CA not trusted meaning it isn't
trusted as a global responder.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OCSP_basic_verify:root ca not trusted

2009-07-28 Thread Randy Turner 
Is the OCSP response verification algorithm described below  
implemented exclusively by OpenSSL, or is the algorithm an  
implementation

of a particular RFC algorithm?

Thanks!
Randy


On Jul 28, 2009, at 9:41 AM, Dr. Stephen Henson wrote:


On Tue, Jul 28, 2009, Natanael Mignon - michael-wessel.de wrote:


Dear list,

another problem with the OCSP-handling in Apache/mod_ssl:

[Tue Jul 28 14:27:12 2009] [error] SSL Library Error: error: 
27069070:OCSP routines:OCSP_basic_verify:root ca not trusted
[Tue Jul 28 14:27:12 2009] [error] failed to verify the OCSP  
response!


Now, of course this could be just correct and there could be an  
error with the certificate store etc. But we get this error, when a  
client authenticates using certificate "b3", which is issued by  
"CA3" and the OCSP request is sent to "ocsp3". "CA3" is trusted for  
Apache and also present and symlinked in /etc/ssl/certs.


If the client authenticates using cert "b2", which is issued by  
"CA2" and the responder is "ocsp2", everything is fine. "CA2" is  
trusted in the same way as "CA3".


If the client authenticates using cert "b1", which is issued by  
"CA1" and the responder is "ocsp1", everything is fine. "CA1" is  
trusted in the same way as "CA2" and "CA3".



To verify the OCSP handling, we execute the requests manually:

openssl ocsp -issuer CA1 -serial  -uri ocsp1... -->  
GOOD, verify OK.


openssl ocsp -issuer CA2 -serial  -uri ocsp2... -->  
GOOD, verify OK.


openssl ocsp -issuer CA3 -serial  -uri ocsp3... -->  
GOOD, verify FAIL.


openssl ocsp -issuer CA1 -serial  -uri ocsp3... -->  
GOOD, verify OK!


So obviously the OCSP signer certificate of ocsp3 has been issued  
by CA1 (what we found in the OCSP response itself, of course).


What we did not get straight so far: How is the issuer certificate  
determined to validate the OCSP signer certificate against in the  
library functions (i.e. when Apache calls the OCSP verify  
functions)? What might be needed here to get OpenSSL validate  
against the correct issuer certificate?




I'm not sure what the problem is here. According to your description  
the
responder ocsp3 is misconfigured and OpenSSL is behaving as you  
would expect.


That error is due to the way OCSP responses are verified. It first  
tries to
see if the response should be automatically accepted (responder  
certificate is
issued by the CA or is the CA itself) if that fails it checks to see  
if the
certificate is allowed to sign responses for *any* CA, so called  
"global
responders". If thet fails you get the root CA not trusted meaning  
it isn't

trusted as a global responder.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OCSP_basic_verify:root ca not trusted

2009-07-28 Thread Dr. Stephen Henson 
On Tue, Jul 28, 2009, Randy Turner wrote:

> Is the OCSP response verification algorithm described below implemented 
> exclusively by OpenSSL, or is the algorithm an implementation
> of a particular RFC algorithm?
>

It is follows the rules in RFC2560. The CA signing and delegate signing are
taked directly from RFC2560. It also allows a CA which "Matches a local
configuration of OCSP signing authority for the certificate in question" and
that's the "global responder" configuration option.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

AW: OCSP_basic_verify:root ca not trusted

2009-07-29 Thread Natanael Mignon - michael-wessel . de 
> -Ursprüngliche Nachricht-
> Von: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] Im Auftrag von Dr. Stephen Henson
> Gesendet: Dienstag, 28. Juli 2009 23:43
> An: openssl-users@openssl.org
> Betreff: Re: OCSP_basic_verify:root ca not trusted
> 
> On Tue, Jul 28, 2009, Randy Turner wrote:
> 
> > Is the OCSP response verification algorithm described below
> implemented
> > exclusively by OpenSSL, or is the algorithm an implementation
> > of a particular RFC algorithm?
> >
> 
> It is follows the rules in RFC2560. The CA signing and delegate signing
> are
> taked directly from RFC2560. It also allows a CA which "Matches a local
> configuration of OCSP signing authority for the certificate in
> question" and
> that's the "global responder" configuration option.

[NM] RFC2560 says:

"All definitive response messages SHALL be digitally signed. The key
   used to sign the response MUST belong to one of the following:

   -- the CA who issued the certificate in question
   -- a Trusted Responder whose public key is trusted by the requester
   -- a CA Designated Responder (Authorized Responder) who holds a
  specially marked certificate issued directly by the CA, indicating
  that the responder may issue OCSP responses for that CA"

We have the second case: The responder has to be trusted to answer requests in 
this manner. That's why we already have the responder's signer certificate in 
/etc/ssl/certs. Still, the response verification fails. We probably have to 
trust the root CA for OCSP signing as stated in 
http://www.openssl.org/docs/apps/ocsp.html:

"If the OCSP responder is a ``global responder'' which can give details about 
multiple CAs and has its own separate certificate chain then its root CA can be 
trusted for OCSP signing. For example: 

 openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem"

So that's what we are going to test next...

Mit freundlichen Grüßen / Kind regards
 Natanael Mignon

IT-Dienstleistungen: beraten | planen | umsetzen | betreiben
__ 

fon  (+49) 511 260 911-0 (DW: - 13)
fax  (+49) 511 318 039-9
eMail  n...@michael-wessel.de
web    www.michael-wessel.de

Bitte senden Sie wichtige E-Mails stets auch an serv...@michael-wessel.de, um 
sicherzustellen, dass diese zeitnah bearbeitet werden.





__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

AW: Re: OCSP_basic_verify:root ca not trusted

2009-07-28 Thread Natanael Mignon - michael-wessel . de 
Hello Steve,

thanks for the quick and enlightening reply - I was wondering about the ocsp 
signer cert being issued by a different CA as unusual, but the idea of global 
responders was not familiar. We will check this with the provider/trustcenter.

Mit besten Grüßen
 - Natanael Mignon

Blackberry - Dienste erhalten Sie bei uns!

- Originalnachricht -
Von: owner-openssl-us...@openssl.org 
An: openssl-users@openssl.org 
Gesendet: Tue Jul 28 18:41:30 2009
Betreff: Re: OCSP_basic_verify:root ca not trusted

On Tue, Jul 28, 2009, Natanael Mignon - michael-wessel.de wrote:

> Dear list,
> 
> another problem with the OCSP-handling in Apache/mod_ssl:
> 
> [Tue Jul 28 14:27:12 2009] [error] SSL Library Error: error:27069070:OCSP 
> routines:OCSP_basic_verify:root ca not trusted
> [Tue Jul 28 14:27:12 2009] [error] failed to verify the OCSP response!
> 
> Now, of course this could be just correct and there could be an error with 
> the certificate store etc. But we get this error, when a client authenticates 
> using certificate "b3", which is issued by "CA3" and the OCSP request is sent 
> to "ocsp3". "CA3" is trusted for Apache and also present and symlinked in 
> /etc/ssl/certs.
> 
> If the client authenticates using cert "b2", which is issued by "CA2" and the 
> responder is "ocsp2", everything is fine. "CA2" is trusted in the same way as 
> "CA3".
> 
> If the client authenticates using cert "b1", which is issued by "CA1" and the 
> responder is "ocsp1", everything is fine. "CA1" is trusted in the same way as 
> "CA2" and "CA3".
> 
> 
> To verify the OCSP handling, we execute the requests manually:
> 
> openssl ocsp -issuer CA1 -serial  -uri ocsp1... --> GOOD, 
> verify OK.
> 
> openssl ocsp -issuer CA2 -serial  -uri ocsp2... --> GOOD, 
> verify OK.
> 
> openssl ocsp -issuer CA3 -serial  -uri ocsp3... --> GOOD, 
> verify FAIL.
> 
> openssl ocsp -issuer CA1 -serial  -uri ocsp3... --> GOOD, 
> verify OK!
> 
> So obviously the OCSP signer certificate of ocsp3 has been issued by CA1 
> (what we found in the OCSP response itself, of course).
> 
> What we did not get straight so far: How is the issuer certificate determined 
> to validate the OCSP signer certificate against in the library functions 
> (i.e. when Apache calls the OCSP verify functions)? What might be needed here 
> to get OpenSSL validate against the correct issuer certificate?
> 

I'm not sure what the problem is here. According to your description the
responder ocsp3 is misconfigured and OpenSSL is behaving as you would expect.

That error is due to the way OCSP responses are verified. It first tries to
see if the response should be automatically accepted (responder certificate is
issued by the CA or is the CA itself) if that fails it checks to see if the
certificate is allowed to sign responses for *any* CA, so called "global
responders". If thet fails you get the root CA not trusted meaning it isn't
trusted as a global responder.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org



+--+
| - michael-wessel.de Secure E-Mail Status -   |
+--+
| - Die Nachricht war weder verschluesselt noch digital unterschrieben |
+--+



:��I"Ϯ��r�m
(Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���