Re: [Openca-ocspd] [Openca-Users] Cisco Router + OCSPD-2

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> Verified, by default OCSPd 2.1.0 doesn't work with Cisco cause sha256:
> 
> ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(2717)
> : E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported
> 
> However OCSPd is still using sha256 when signing the response:
> 
> [pki_ocsp_resp.c:357]::DEBUG::OCSP RESP SIGN TK::Using Algorithm
> sha256WithRSAEncryption
> 
> Don't know how to workaround this.

Replying to myself..

Attached is a dirty (ugly) patch to OCSP 2.1.1 source code to force
reply in sha1 for OCSPd. Better than patching libpki, but not a final
solution.

Looked into OCSP RFC and it seems that sha1 and sha256 SHALL be
supported so I will try to open a TAC Case with Cisco to see it working
in IOS.

Apart of this patch all seems to be working fine in the OCSP with Cisco.
Will be making more tests soon.

Re: [Openca-ocspd] [Openca-Users] Cisco Router + OCSPD-2

Open Source PKI solutions

Re: [Openca-ocspd] [Openca-Users] Cisco Router + OCSPD-2