From: Joachim A. <ac...@as...> - 2011-06-03 16:56:21
|
Hi Massimilio, hi OCSP developers, I'm a step further with my problems between Cisco router <-> OCSPD-2 1st, I had to comment in this line again at response.c (line 518): // PKI_NET_write (connfd, "\r\n", 2); <--- Deleted: Caused issues // in Firefox/Thunderbird OCSPs What is good for Firefox is bad for Cisco routers: Without \r\n , the Cisco router showed an error: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/pki/pkicomm/pki_http.c(303): E_PKI_TRANSPORT : data transport error () 2nd, a followup-problem, after inserting the PKI_Net_write \r\n again, was still there with OCSP-2.1.0 + libpki-0.6.4: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(690): E_PKI_TRANSPORT : data transport warning (transport failure) ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(3438): E_PKI_TRANSPORT : data transport error (!PKI_STATUS_GRANTED) Certificates weren't correct up to that release. But I think I've mastered two levels in this adventure up to this point. :-) 3rd, after upgrading to OCSP-2.1.1 + libpki-0.6.5, it's looking much better now, but it still doesn't work yet: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(2715): E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported I have looked a bit more into depth: Cisco seems to use source code from RSA Security (www.rsa.com) for Cisco router's OCSP functionality. Cisco routers include exactly the strings for warnings and errors like the ocsp.c of RSA does. This is my suspicion, because I've googled the following ocsp.c source file of RSA: http://www.rsa.com/products/bsafe/documentation/certc272html/ocsp_8c-source.html So, what does exactly happen, when the Cisco router gets back the OCSP response from ocspd-2.1.1.... The RSA ocsp.c reads - there are only some hashing standards, it will support, when decoding the Certificate ID: /* since we only support DAI_SHA1_OID and DAI_MD5_OID, and both don't come with parameters, so we just decode OID */ In other cases it would put out this "E_DIGEST_ALG_NOT_SUPPORTED" error. But - when I turn debugging on (writing DER cert into /tmp/ocsp-resp.der) and look up the OCSP response with "openssl ocsp -resp_text -respin /tmp/ocsp-resp.der -no_cert_verify" I just get a (in my eyes) normal reponse, I don't see there would be another hashing done then the SHA1 in the protocol standard: OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = DE, O = Astel, OU = TestCA, CN = Test Produced At: Jun 3 15:32:11 2011 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Issuer Key Hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Serial Number: XXXXXXXXXXXXXXXXXXXX Cert Status: good This Update: Jun 3 15:32:11 2011 GMT Next Update: Jun 3 15:37:11 2011 GMT [...] Could you just have a look into http://www.rsa.com/products/bsafe/documentation/certc272html/ocsp_8c-source.html to see which hashing format is expected by the RSA code? Greetings -Achim |