How can I sstart openssl ocsp in secure mode using TLS/SSL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

How can I sstart openssl ocsp in secure mode using TLS/SSL

Ike Ikonne
Hi all,

I have been trying to test the embed openssl ocsp server in secure mode like:


c:\openssl-0.9.8\share>c:\openssl-0.9.8\bin\openssl ocsp -url
https://myhost:7575-req_text -resp_text -text -index intermediate\index.txt -CA int
ermediate\certs\ca-chain-cert.pem -rkey intermediate\private\ocsp.example.com.key.pem -rsigner intermediate\certs\ocsp.example.com.cert.pem


using the https protocol, but when I try to validate a certificate using the built-in ocsp client similar to:


c:\openssl-0.9.8\share>c:\openssl-0.9.8\bin\openssl ocsp -CAfile intermediate\certs\ca-chain-cert.pem -url
https://myhost:7575-resp_text -issuer
intermediate\certs\intermediate.cert.pem -cert intermediate\certs\test.example.com.cert.pem


I get the following error message


Error connecting BIO
Error querying OCSP responsder
12164:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:./ssl/s23_clnt.c:585:


Does anyone know how I may overcome this?



Thanks,


Ike


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I sstart openssl ocsp in secure mode using TLS/SSL

OpenSSL - User mailing list

Openssl 0.9.8 is old and obsolete and has security issues; you should upgrade.

 

But even if you upgrade, the ocsp command will not listen on HTTPS; that is not supported.

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I sstart openssl ocsp in secure mode using TLS/SSL

Richard Moore


On 22 September 2017 at 15:08, Salz, Rich via openssl-users <[hidden email]> wrote:

Openssl 0.9.8 is old and obsolete and has security issues; you should upgrade.

 

But even if you upgrade, the ocsp command will not listen on HTTPS; that is not supported.



​It's also worth pointing out that CAs are banned from running OCSP servers over HTTPS anyway and it isn't needed since the responses are already signed - http is fine.

Cheers

Rich.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I sstart openssl ocsp in secure mode using TLS/SSL

Jakob Bohm-7
On 22/09/2017 18:32, Richard Moore wrote:

>
>
> On 22 September 2017 at 15:08, Salz, Rich via openssl-users
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Openssl 0.9.8 is old and obsolete and has security issues; you
>     should upgrade.
>
>     But even if you upgrade, the ocsp command will not listen on
>     HTTPS; that is not supported.
>
>
>
> ​It's also worth pointing out that CAs are banned from running OCSP
> servers over HTTPS anyway and it isn't needed since the responses are
> already signed - http is fine.
>
That particular ban has an interesting backstory of bureaucratic
decisions that seem misguided in retrospect.

The problem is that the information in OCSP requests is potentially
very valuable to an attacker who lacks the ability to fully wiretap
the connections between the OCSP client and the ultimate source of
the checked certificate.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I sstart openssl ocsp in secure mode using TLS/SSL

Kyle Hamilton
In reply to this post by Richard Moore
On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore <[hidden email]> wrote:
>
> It's also worth pointing out that CAs are banned from running OCSP servers over HTTPS anyway and it isn't needed since the responses are already signed - http is fine.

That argument fails when you consider that some people want the
details of who they're talking to or asking about to be confidential,
not merely authentic.

I'm a believer in the idea that SNI and the Certificate messages
should happen under an ephemeral DH or ephemeral ECDH cover.  Others
fear-monger to say "maybe they shouldn't".

(Also, for completeness, the argument that "CAs are banned from
running OCSP servers over HTTPS anyway" is a straw man at best -- not
every CA is created or intends to be a member of or subject to the
mandates of the CA Security Council, formerly known as the CA/Browser
Forum.  And every attempt to encode policy into technical standards,
attempting to prohibit certain actions for whatever misguided
administrative reasons, is subject to being bypassed by people who
understand the various parts and how to glue them all together.)

To be fair, the OCSP responder certificate may or may not be
revoked... but honestly, if you're asking the OCSP responder for the
status of its own certificate you're opening yourself up to a
subordination/subversion attack anyway.  OCSP responders should have
very short-lived certificates, to minimize the temporal subordination
attack surface.

-Kyle H
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I sstart openssl ocsp in secure mode using TLS/SSL

Richard Moore


On 26 September 2017 at 02:36, Kyle Hamilton <[hidden email]> wrote:
On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore <[hidden email]> wrote:
>
> It's also worth pointing out that CAs are banned from running OCSP servers over HTTPS anyway and it isn't needed since the responses are already signed - http is fine.

That argument fails when you consider that some people want the
details of who they're talking to or asking about to be confidential,
not merely authentic.


​That doesn't change the fact it's banned.​

 
I'm a believer in the idea that SNI and the Certificate messages
should happen under an ephemeral DH or ephemeral ECDH cover.  Others
fear-monger to say "maybe they shouldn't".


​There are a lot of other things that would also need addressing to make it secret /who/ you're talking to. ​It's not something https guarantees right now. If you'd like it to that would be a whole other discussion.

 
(Also, for completeness, the argument that "CAs are banned from
running OCSP servers over HTTPS anyway" is a straw man at best -- not
every CA is created or intends to be a member of or subject to the
mandates of the CA Security Council, formerly known as the CA/Browser
Forum.  And every attempt to encode policy into technical standards,

​​The CA Security Council and CA/Browser Forum are unrelated organisations.​

Regards

Rich.
 
attempting to prohibit certain actions for whatever misguided
administrative reasons, is subject to being bypassed by people who
understand the various parts and how to glue them all together.)
To be fair, the OCSP responder certificate may or may not be
revoked... but honestly, if you're asking the OCSP responder for the
status of its own certificate you're opening yourself up to a
subordination/subversion attack anyway.  OCSP responders should have
very short-lived certificates, to minimize the temporal subordination
attack surface.

​​


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I sstart openssl ocsp in secure mode using TLS/SSL

Jakob Bohm-7
On 26/09/2017 14:31, Richard Moore wrote:

>
>
> On 26 September 2017 at 02:36, Kyle Hamilton <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore
>     <[hidden email] <mailto:[hidden email]>> wrote:
>     >
>     > It's also worth pointing out that CAs are banned from running
>     OCSP servers over HTTPS anyway and it isn't needed since the
>     responses are already signed - http is fine.
>
>     That argument fails when you consider that some people want the
>     details of who they're talking to or asking about to be confidential,
>     not merely authentic.
>
>
> ​That doesn't change the fact it's banned.​
>
But ONLY for CAB/F regulated public CAs.

>
>     I'm a believer in the idea that SNI and the Certificate messages
>     should happen under an ephemeral DH or ephemeral ECDH cover.  Others
>     fear-monger to say "maybe they shouldn't".
>
>
> ​There are a lot of other things that would also need addressing to
> make it secret /who/ you're talking to. ​It's not something https
> guarantees right now. If you'd like it to that would be a whole other
> discussion.
>
However wiretapping a few central non-https OCSP responders is one
of the few attacks that will reveal this without wiretapping the
actual connection.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I sstart openssl ocsp in secure mode using TLS/SSL

Michael Wojcik
In reply to this post by Richard Moore
> From: openssl-users [mailto:[hidden email]] On Behalf Of Richard Moore
> Sent: Tuesday, September 26, 2017 06:31
> To: [hidden email]
> Subject: Re: [openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

​​> The CA Security Council and CA/Browser Forum are unrelated organisations.​

True, but CASC endorses CA/BF, for example by requiring its members meet the CA/BF Basic Requirements. They may be "unrelated" but they're quite chummy.

That said, I don't think openssl-users is an ideal, or effective, forum for organizing an escape from the CA/BF cabal. That will have to happen elsewhere, if it's to happen at all.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users