//  

HOME BlueQuartz.US Open Source Info for Open Source Users Register  Memberlist Usergroups FAQ    Search Subscriptions Profile    Private messages    Log in         BlueQuartz.US Forum Index -> OpenSSL Users  Apache OCSP verification fails Previous Topic Next Topic Message Author Posted: Fri Jul 30, 2010 9:18 am     Subject: Apache OCSP verification fails   Ulf Wahlqvist I'm trying to get Apache to do Client certificate verification with OCSP-validation. It works without OCSP, but OCSP-validation fails when I turn it on. The error is "OCSP_check_validity:status too old", but that doesn't make sense because the clocks are within 2 seconds. I have verified that if I use openssl directly from command line it will verify OK. Quote: openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile /usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text -url http://ocsp.trust.telia.com<http://ocsp.trust.telia.com/> . . . . Response verify OK /mnt/download/uwcert.cer: good This Update: Jul 29 10:43:41 2010 GMT Next Update: Jul 30 10:43:45 2010 GMT //// Where du I start looking?? /ulfW ** my config ************************************************************************************************************************************* [root@fedoragui logs]# httpd -v Server version: Apache/2.3.6 (Unix) Server built: Jul 16 2010 15:31:39 [root@fedoragui logs]# openssl version OpenSSL 1.0.0a-fips 1 Jun 2010 ./configure --enable-ssl http-ssl.conf: SSLCACertificateFile "/usr/local/apache2/conf/SITHS_CA_v3.cer SSLCARevocationFile "/usr/local/apache2/conf/crl/SITHS_CA_ver_3.crl" SSLVerifyClient require SSLVerifyDepth 3 SSLOCSPEnable on SSLOCSPDefaultResponder http://ocsp.trust.telia.com<http://ocsp.trust.telia.com/> #SSLOCSPOverrideResponder on ** error_log ************************************************************************************************************************************* [Fri Jul 30 13:36:02.080681 2010] [info] [pid 2826:tid 3061840752] [client 10.0.2.2:1440] Connection to child 0 established (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:02.089466 2010] [debug] [pid 2826:tid 3061840752] ssl_engine_io.c(1175): [client 10.0.2.2:1440] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Fri Jul 30 13:36:02.090049 2010] [info] [pid 2826:tid 3061840752] [client 10.0.2.2:1440] Connection closed to child 0 with abortive shutdown (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:04.549495 2010] [info] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] Connection to child 128 established (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.230878 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(79): [client 10.0.2.2:1441] connecting to OCSP responder 'ocsp.trust.telia.com' [Fri Jul 30 13:36:05.235845 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(105): [client 10.0.2.2:1441] sending request to OCSP responder [Fri Jul 30 13:36:05.257605 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Date: Fri, 30 Jul 2010 13:36:04 GMT [Fri Jul 30 13:36:05.257920 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Server: Apache [Fri Jul 30 13:36:05.258515 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Content-Length: 1264 [Fri Jul 30 13:36:05.258767 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Connection: close [Fri Jul 30 13:36:05.259001 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Content-Type: application/ocsp-response [Fri Jul 30 13:36:05.259743 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(252): [client 10.0.2.2:1441] OCSP response: got 1264 bytes, 1264 total [Fri Jul 30 13:36:05.275967 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(235): [client 10.0.2.2:1441] OCSP response: got EOF [Fri Jul 30 13:36:05.278741 2010] [error] [pid 2833:tid 3061840752] SSL Library Error: error:2707307F:OCSP routines:OCSP_check_validity:status too old [Fri Jul 30 13:36:05.279711 2010] [error] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] Certificate Verification: Error (50): application verification failure [Fri Jul 30 13:36:05.282013 2010] [info] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] SSL library error 1 in handshake (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.282958 2010] [info] [pid 2833:tid 3061840752] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [Fri Jul 30 13:36:05.285938 2010] [info] [pid 2911:tid 3040861040] [client 10.0.2.2:1444] Connection to child 194 established (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.289429 2010] [info] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] Connection closed to child 128 with abortive shutdown (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.296438 2010] [info] [pid 2911:tid 3040861040] [client 10.0.2.2:1444] SSL library error 1 in handshake (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.300686 2010] [info] [pid 2911:tid 3051350896] [client 10.0.2.2:1445] Connection to child 193 established (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.301800 2010] [debug] [pid 2911:tid 3051350896] ssl_engine_io.c(1175): [client 10.0.2.2:1445] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Fri Jul 30 13:36:05.302646 2010] [info] [pid 2911:tid 3051350896] [client 10.0.2.2:1445] Connection closed to child 193 with abortive shutdown (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.308392 2010] [info] [pid 2911:tid 3040861040] SSL Library Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate -- No CAs known to server for verification? [Fri Jul 30 13:36:05.308711 2010] [info] [pid 2911:tid 3040861040] [client 10.0.2.2:1444] Connection closed to child 194 with abortive shutdown (server fedoragui.mydomain.com:443) /ulfW Back to top Posted: Fri Jul 30, 2010 9:31 am     Subject: Apache OCSP verification fails   Patrick Patterson Hi Ulf: My guess is that this isn't an OpenSSL issue, but rather an issue with how the Apache devels have implemented OCSP, so the best mailing list to ask about these kinds of questions is probably the Apache-devel list. Have fun. Patrick. On July 30, 2010 09:49:10 am Ulf Wahlqvist wrote: Quote: I'm trying to get Apache to do Client certificate verification with OCSP-validation. It works without OCSP, but OCSP-validation fails when I turn it on. The error is "OCSP_check_validity:status too old", but that doesn't make sense because the clocks are within 2 seconds. I have verified that if I use openssl directly from command line it will verify OK. Quote: openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile /usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text -url http://ocsp.trust.telia.com<http://ocsp.trust.telia.com/> . . . . Response verify OK /mnt/download/uwcert.cer: good This Update: Jul 29 10:43:41 2010 GMT Next Update: Jul 30 10:43:45 2010 GMT //// Where du I start looking?? /ulfW ** my config ************************************************************************** *********************************************************** [root@fedoragui logs]# httpd -v Server version: Apache/2.3.6 (Unix) Server built: Jul 16 2010 15:31:39 [root@fedoragui logs]# openssl version OpenSSL 1.0.0a-fips 1 Jun 2010 ./configure --enable-ssl http-ssl.conf: SSLCACertificateFile "/usr/local/apache2/conf/SITHS_CA_v3.cer SSLCARevocationFile "/usr/local/apache2/conf/crl/SITHS_CA_ver_3.crl" SSLVerifyClient require SSLVerifyDepth 3 SSLOCSPEnable on SSLOCSPDefaultResponder http://ocsp.trust.telia.com<http://ocsp.trust.telia.com/> #SSLOCSPOverrideResponder on ** error_log ************************************************************************** *********************************************************** [Fri Jul 30 13:36:02.080681 2010] [info] [pid 2826:tid 3061840752] [client 10.0.2.2:1440] Connection to child 0 established (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:02.089466 2010] [debug] [pid 2826:tid 3061840752] ssl_engine_io.c(1175): [client 10.0.2.2:1440] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Fri Jul 30 13:36:02.090049 2010] [info] [pid 2826:tid 3061840752] [client 10.0.2.2:1440] Connection closed to child 0 with abortive shutdown (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:04.549495 2010] [info] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] Connection to child 128 established (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.230878 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(79): [client 10.0.2.2:1441] connecting to OCSP responder 'ocsp.trust.telia.com' [Fri Jul 30 13:36:05.235845 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(105): [client 10.0.2.2:1441] sending request to OCSP responder [Fri Jul 30 13:36:05.257605 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Date: Fri, 30 Jul 2010 13:36:04 GMT [Fri Jul 30 13:36:05.257920 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Server: Apache [Fri Jul 30 13:36:05.258515 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Content-Length: 1264 [Fri Jul 30 13:36:05.258767 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Connection: close [Fri Jul 30 13:36:05.259001 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(209): [client 10.0.2.2:1441] OCSP response header: Content-Type: application/ocsp-response [Fri Jul 30 13:36:05.259743 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(252): [client 10.0.2.2:1441] OCSP response: got 1264 bytes, 1264 total [Fri Jul 30 13:36:05.275967 2010] [debug] [pid 2833:tid 3061840752] ssl_util_ocsp.c(235): [client 10.0.2.2:1441] OCSP response: got EOF [Fri Jul 30 13:36:05.278741 2010] [error] [pid 2833:tid 3061840752] SSL Library Error: error:2707307F:OCSP routines:OCSP_check_validity:status too old [Fri Jul 30 13:36:05.279711 2010] [error] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] Certificate Verification: Error (50): application verification failure [Fri Jul 30 13:36:05.282013 2010] [info] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] SSL library error 1 in handshake (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.282958 2010] [info] [pid 2833:tid 3061840752] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [Fri Jul 30 13:36:05.285938 2010] [info] [pid 2911:tid 3040861040] [client 10.0.2.2:1444] Connection to child 194 established (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.289429 2010] [info] [pid 2833:tid 3061840752] [client 10.0.2.2:1441] Connection closed to child 128 with abortive shutdown (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.296438 2010] [info] [pid 2911:tid 3040861040] [client 10.0.2.2:1444] SSL library error 1 in handshake (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.300686 2010] [info] [pid 2911:tid 3051350896] [client 10.0.2.2:1445] Connection to child 193 established (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.301800 2010] [debug] [pid 2911:tid 3051350896] ssl_engine_io.c(1175): [client 10.0.2.2:1445] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Fri Jul 30 13:36:05.302646 2010] [info] [pid 2911:tid 3051350896] [client 10.0.2.2:1445] Connection closed to child 193 with abortive shutdown (server fedoragui.mydomain.com:443) [Fri Jul 30 13:36:05.308392 2010] [info] [pid 2911:tid 3040861040] SSL Library Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate -- No CAs known to server for verification? [Fri Jul 30 13:36:05.308711 2010] [info] [pid 2911:tid 3040861040] [client 10.0.2.2:1444] Connection closed to child 194 with abortive shutdown (server fedoragui.mydomain.com:443) /ulfW -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca Back to top Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First         BlueQuartz.US Forum Index -> OpenSSL Users All times are GMT - 5 Hours Page 1 of 1   Jump to: Select a forum General Information----------------Terms and Conditions of UseGeneral InformationGeneral Announcements Listserver mirrors----------------About the Listserver mirrorsBlueOnyxBlueQuartzFedora UsersCentOS Discussions and InformationCentOS AnnounceCentOS DevelopersClamAV UsersMailScanner DiscussionsMajordomo UsersMRTG UsersMunin UsersOpenSSL UsersOpenSSL AnnounceOpenSSL DevelopersOpenSSL CVSPHP General UsersphpMyAdmin UsersphpMyAdmin DevelopersRuby on Rails GeneralRuby on Rails CoreSpamassassin UsersSpamassassin DevelopersYum UsersYum Development Suggestion Box----------------Suggestions for this site  You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Powered by phpBB © 2001, 2005 phpBB Group