OpenSSL OCSP and RFC 6960

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL OCSP and RFC 6960

Gena Makhomed
Hello, All!

For certificates generated by "Let's Encrypt Authority X3"
for getting ocsp response from letsencrypt I need to use such command:

# openssl ocsp -verify_other chain.pem \
                -issuer chain.pem \
                -cert cert.pem \
                -text \
                -url http://ocsp.int-x3.letsencrypt.org \
                -header "Host" "ocsp.int-x3.letsencrypt.org"

===========================

If I remove '-header "Host" "ocsp.int-x3.letsencrypt.org"'
from command line I got error:

Error querying OCSP responder
140274026829712:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server
response error:ocsp_ht.c:314:Code=400,Reason=Bad Request

openssl ocsp utility does not send 'Host' header by default?
But why? Looks like this is bug.

===========================

If I remove '-verify_other chain.pem' from command line I got error:

Response Verify Failure
140272439146384:error:27069076:OCSP routines:OCSP_basic_verify:signer
certificate not found:ocsp_vfy.c:92:

'man ocsp' tell what

        -verify_other file
            file containing additional certificates to search
            when attempting to locate the OCSP response signing
            certificate. Some responders omit the actual signer's
            certificate from the response: this option can be used
            to supply the necessary certificate in such cases.

But why I need to provide '-verify_other chain.pem'
with issuer certificate?

As I understand, RFC 6960 tell what only issuer certificate
is required for OCSP response verification.

Looks like this is bug in OpenSSL library / openssl ocsp utility.

--
Best regards,
  Gena
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users