Welcome! Log In Create A New Profile

Advanced

Re: OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

December 05, 2015 04:20AM
Dear Maxim,

thanks for your ideas.

I think I have not fully understand this matter, yet ;-)

- check if OCSP requests from other clients (e.g., browsers) work;
note that openssl's OCSP client will likely fail out of the box;

---> it does not work with openssl on Ubuntu 14.04 LTS (OpenSSL 1.0.1f 6 Jan 2014), openssl on raspberrypi2 (OpenSSL 1.0.2e) and Qualsys ssllabs (https://www.ssllabs.com/ssltest/). I do not get any errors on the other hand in Firefox or Chrome on Windows / Ubuntu / Android browsing to my websites. But I do not know how to do the same OCSP tests with my browsers.


- check if the same error occurs on x86 hosts for the same certificate or not;

--> I have to try this later, it is not that easy to set up here right now.



- try tcpdump'ing traffic between nginx and the OCSP responder to see what happens on the wire.

--> I have done it. It is showing some communication when I do the test with openssl, e.g.

echo QUIT | openssl s_client -connect www.mydomain.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'


Pcap extraction show communication:
....
.
StartCom Ltd.1+0)..U..."Secure Digital Certificate Signing1806..U.../StartCom Class 1 Primary Intermediate Server CA0..
151011024455Z....
.....
. ...M0..I0...g.....0..;..+......7...0..*0...+........"http://www.startssl.com/policy.pdf0....+.......0..0'. StartCom Certification Authority0.......This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.05..U....0,0*.(.&.$http://crl.startssl.com/crt1-crl.crl0....+..........0.09..+.....0..-http://ocsp.startssl.com/sub/class1/server/ca0B..+.....0..6http://aia.startssl.com/certs/sub.class1.server.ca.crt0#..U....0...http://www.startssl.com/0....

But at the end of my pcap I have a

TLSv1.2 Record Layer: Encrypted Alert
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 26
Alert Message: Encrypted Alert

followed by FIN, ACK

Greetings,
Alexander
Subject Author Posted

OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

agruener December 04, 2015 05:40PM

Re: OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

Maxim Dounin December 04, 2015 10:34PM

Re: OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

agruener December 05, 2015 04:20AM

Re: OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

Maxim Dounin December 06, 2015 09:00PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 55
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready