I'm only guessing, but maybe manually adding all necessary intermediate
certificates to your server will help?
--
With Best Regards,
Marat Khalili
On 26/08/15 09:31, Sterpu Victor wrote:
I installed apache 2.4.16 and I have activated SSLOCSPEnable on a
virtual domain but the page is not loading at all with
OCSPEnabled(without OCSP is working).
The error is:
SSL Library Error: error:27069065:OCSP
routines:OCSP_basic_verify:certificate verify error (Verify
error:unable to get local issuer certificate)
AH02039: Certificate Verification: Error (50): application
verification failure
AH01925: failed to verify the OCSP response
I would use SSLOCSPOverrideResponder
<http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslocspoverrideresponder> but
I have 4 different OCSP servers depending on the CA.
I checked the certificates and in the section Authority Information
Access there is a URL to the OCSP server.
This is the information from one of the certificates:
[1]Authority Info Access
Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=http://ocsp.certsign.ro/ocsp
ocsp.digisign.ro is answering on port 80.
Could be a problem with SSLOCSPEnable that is not auto extracting the
OCSP URL?
My configuration is:
SSLEngine on
SSLCertificateFile /etc/ssl/card.casnt.ro/server.crt
SSLCertificateKeyFile /etc/ssl/card.casnt.ro/server.key
SSLCACertificateFile /etc/ssl/certs/RO/All_Certs.pem
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData
SSLOCSPEnable On
Thank you.
------ Original Message ------
From: "Marat Khalili" <m...@rqc.ru <mailto:m...@rqc.ru>>
To: users@httpd.apache.org <mailto:users@httpd.apache.org>
Sent: 8/23/2015 8:16:06 PM
Subject: Re: [users@httpd] SSL - How client certificates are verified?
In this case, could you please post the results when you get the
SSLOCSPEnable fixed? I'm particularly interested in performance.
--
With Best Regards,
Marat Khalili
On 23/08/2015 19:57, Sterpu Victor wrote:
There are 4 CAs, at least 1 uses OCSP(only 1 I called).
I hope all of them use OCSP, I don't know the legislation but it
seems normal to be required by law.
------ Original Message ------
From: "Marat Khalili" <m...@rqc.ru <mailto:m...@rqc.ru>>
To: users@httpd.apache.org <mailto:users@httpd.apache.org>
Sent: 8/23/2015 7:51:14 PM
Subject: Re: [users@httpd] SSL - How client certificates are verified?
Oh, I see. In this case you will have to check the status of their
certificates. Still, I suspect all of the tokens are issued by one
CA. Probably it is better to ask this CA for their procedures: do
they use OCSP or just publish CRLs.
--
With Best Regards,
Marat Khalili
On 23/08/2015 19:41, Sterpu Victor wrote:
All clients already have PKCS11 tokens.
It would be too complicated for them to get used with something else.
------ Original Message ------
From: "Marat Khalili" <m...@rqc.ru <mailto:m...@rqc.ru>>
To: users@httpd.apache.org <mailto:users@httpd.apache.org>
Sent: 8/23/2015 7:34:07 PM
Subject: Re: [users@httpd] SSL - How client certificates are verified?
I see. However, accepting clients certificates from the world
recognized authorities is both more expensive (for clients) and
more risky than running your own CA (recognized only by your
server). If you personally know all your clients it is easier to
issue them certificates directly, and revoke them by yourself too
if needed.
--
With Best Regards,
Marat Khalili
On 23/08/2015 18:56, Sterpu Victor wrote:
I want to make a page that will authenticate only with PKCS11
tokens.
These tokens contain only certificates from a recognized authority.
OCSP would be usefull if the token has been declared lost or stolen.
But I don't want to make things too complicated.
------ Original Message ------
From: "Marat Khalili" <m...@rqc.ru <mailto:m...@rqc.ru>>
To: users@httpd.apache.org <mailto:users@httpd.apache.org>
Sent: 8/23/2015 6:51:02 PM
Subject: Re: [users@httpd] SSL - How client certificates are
verified?
Hello, what is your scenario? If you issue (sign) client
certificates yourself, Apache can correctly verify it against
local CRL (certificate revocation list) file (server restart
may be required after file update). There's information in the
net concerning OCSP support for client authentication in newer
versions of Apache (google SSLOCSPEnable), but I can see no
real use for it save for some very complicated systems.
--
With Best Regards,
Marat Khalili
On 23/08/2015 09:51, Sterpu Victor wrote:
Hello
I have a web page that asks for client certificate.
These are the options for this:
SSLVerifyClient require
SSLVerifyDepth 10
How does SSLVerifyClient verifies the client certificate?
This option protects against certificates manual made with a
fake public-private key pair?
So can someoane make a certificate identical with the
original, attach another set of public and private keys and
pretend to be someoane else?
Thank you
------------------------------------------------------------------------
Avast logo <https://www.avast.com/antivirus>
This email has been checked for viruses by Avast antivirus
software.
www.avast.com <https://www.avast.com/antivirus>
/*DISCLAIMER*:
Acest mesaj de posta electronica si documentele aferente sunt
confidentiale. Este interzisa distribuirea, dezvaluirea sau
orice alt mod de utilizare a lor. Daca nu sunteti destinatarul
acestui mesaj, este interzis sa actionati in baza acestor
informatii. Citirea, copierea, distribuirea, dezvaluirea sau
utilizarea in alt mod a informatiei continute in acest mesaj
constituie o incalcare a legii. Daca ati primit mesajul din
greseala, va rugam sa il distrugeti, anuntand expeditorul de
eroarea comisa. Intrucat nu poate fi garantat faptul ca posta
electronica este un mod sigur si lipsit de erori de
transmitere a informatiilor, este responsabilitatea dvs. sa va
asigurati ca mesajul (inclusiv documentele alaturate lui) este
validat si autorizat spre a fi utilizat in mediul dvs./
------------------------------------------------------------------------
Avast logo <https://www.avast.com/antivirus>
This email has been checked for viruses by Avast antivirus
software.
www.avast.com <https://www.avast.com/antivirus>
/*DISCLAIMER*:
Acest mesaj de posta electronica si documentele aferente sunt
confidentiale. Este interzisa distribuirea, dezvaluirea sau
orice alt mod de utilizare a lor. Daca nu sunteti destinatarul
acestui mesaj, este interzis sa actionati in baza acestor
informatii. Citirea, copierea, distribuirea, dezvaluirea sau
utilizarea in alt mod a informatiei continute in acest mesaj
constituie o incalcare a legii. Daca ati primit mesajul din
greseala, va rugam sa il distrugeti, anuntand expeditorul de
eroarea comisa. Intrucat nu poate fi garantat faptul ca posta
electronica este un mod sigur si lipsit de erori de transmitere
a informatiilor, este responsabilitatea dvs. sa va asigurati ca
mesajul (inclusiv documentele alaturate lui) este validat si
autorizat spre a fi utilizat in mediul dvs./
------------------------------------------------------------------------
Avast logo <https://www.avast.com/antivirus>
This email has been checked for viruses by Avast antivirus software.
www.avast.com <https://www.avast.com/antivirus>
/*DISCLAIMER*:
Acest mesaj de posta electronica si documentele aferente sunt
confidentiale. Este interzisa distribuirea, dezvaluirea sau orice
alt mod de utilizare a lor. Daca nu sunteti destinatarul acestui
mesaj, este interzis sa actionati in baza acestor informatii.
Citirea, copierea, distribuirea, dezvaluirea sau utilizarea in alt
mod a informatiei continute in acest mesaj constituie o incalcare
a legii. Daca ati primit mesajul din greseala, va rugam sa il
distrugeti, anuntand expeditorul de eroarea comisa. Intrucat nu
poate fi garantat faptul ca posta electronica este un mod sigur si
lipsit de erori de transmitere a informatiilor, este
responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv
documentele alaturate lui) este validat si autorizat spre a fi
utilizat in mediul dvs./
------------------------------------------------------------------------
Avast logo <https://www.avast.com/antivirus>
This email has been checked for viruses by Avast antivirus software.
www.avast.com <https://www.avast.com/antivirus>
/*DISCLAIMER*:
Acest mesaj de posta electronica si documentele aferente sunt
confidentiale. Este interzisa distribuirea, dezvaluirea sau orice
alt mod de utilizare a lor. Daca nu sunteti destinatarul acestui
mesaj, este interzis sa actionati in baza acestor informatii.
Citirea, copierea, distribuirea, dezvaluirea sau utilizarea in alt
mod a informatiei continute in acest mesaj constituie o incalcare a
legii. Daca ati primit mesajul din greseala, va rugam sa il
distrugeti, anuntand expeditorul de eroarea comisa. Intrucat nu
poate fi garantat faptul ca posta electronica este un mod sigur si
lipsit de erori de transmitere a informatiilor, este
responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv
documentele alaturate lui) este validat si autorizat spre a fi
utilizat in mediul dvs./
------------------------------------------------------------------------
Avast logo <https://www.avast.com/antivirus>
This email has been checked for viruses by Avast antivirus software.
www.avast.com <https://www.avast.com/antivirus>
/*DISCLAIMER*:
Acest mesaj de posta electronica si documentele aferente sunt
confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt
mod de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj,
este interzis sa actionati in baza acestor informatii. Citirea,
copierea, distribuirea, dezvaluirea sau utilizarea in alt mod a
informatiei continute in acest mesaj constituie o incalcare a legii.
Daca ati primit mesajul din greseala, va rugam sa il distrugeti,
anuntand expeditorul de eroarea comisa. Intrucat nu poate fi garantat
faptul ca posta electronica este un mod sigur si lipsit de erori de
transmitere a informatiilor, este responsabilitatea dvs. sa va
asigurati ca mesajul (inclusiv documentele alaturate lui) este validat
si autorizat spre a fi utilizat in mediul dvs./
