Menu
▾
▴
Re: [Openca-ocspd] OpenCA's ocspd responder and Darwin's ocspd requestor: wrong behaviour
|
From: Bubnov D. <bu...@lu...> - 2011-02-19 05:54:38
|
Hi Max. After some investigations I have found possible reason of this wrong behavior. It is incorrect representation of dates in validity fields (notBefore and notAfter) of ocsp responder's certificate, which presented by ocsp daemon in OCSP response. There are missing of one first byte in both fields, so dates looks like "110219002600Z" instead of "20110219002600". P.S. In my case, responder's certificate stored in local file. P.P.S. Firefox just crashes. -- Regards Dima -----Original message (on Feb 18, 2011, at 20:00 )----- > > From: Massimiliano Pala <Massimiliano.Pala@Dartmouth.edu> > Date: February 18, 2011 20:00:41 GMT+03:00 > To: ope...@li... > Subject: Re: [Openca-ocspd] OpenCA's ocspd responder and Darwin's ocspd requestor: wrong behaviour > > > Hi Dmitriy, > > so it seems that the OCSP is generating a response - can you verify the > response by using a different client tool (e.g., Firefox and/or openssl > ocsp tool) ? If those are correct, is there any chance you can debug the > Safari code and/or submit a support-request to Apple ? > > Cheers, > Max > > > On 02/17/2011 01:31 AM, Bubnov Dmitriy wrote: >> Hi folks! >> >> The situation: >> >> 1. All certificates and CRLs are generated by XCA under Mac OS X. >> 2. OpenCA's ocspd (v2.1.0) are running under CentOS 5 (2.6.18-194.26.1.el5xen). >> 3. Certificate (whose serial number is 3) for web server contains AIA with URI to above ocspd. >> 4. Keychain properties for certificates on test Mac are as follows: >> - Online Cerificate Status Protocol (OCSP): Require If Cert Indicates >> - Cerificate Revocation List (CRL): Require If Cert Indicates >> - Priority: OCSP >> 3. Revocation check is correct if requestor is "openssl ocsp" command. >> >> On test Mac I am trying to open web server and Safari shows error popup "This certificate cannot be verified (OCSP service unavailable)". >> >> But sniffing shows, that there was request from test Mac (actually from native Darwin ocspd) and response "good" from OpenCA's ocspd, for web server certificate. >> >> What is wrong? How to correct this behaviour? > |