On Jan 11, 2017, at 4:30 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
But: FreeRADIUS
... OpenSSL...
sends the name and key hashes hashed with SHA1; my resonse does the hashes with SHA256.
The result in debug mode is:
Wed Jan 11 03:56:13 2017 : Debug: (54) eap_tls: Starting OCSP Request Wed Jan 11 03:56:13 2017 : Debug: (54) eap_tls: ocsp: Using responder URL "http://ocsp-test.hosted.eduroam.org:80/ticker/" Wed Jan 11 03:56:13 2017 : ERROR: (54) eap_tls: ocsp: No Status found Wed Jan 11 03:56:13 2017 : ERROR: (54) eap_tls: ocsp: Certificate has been expired/revoked
The Status sits right there in the response: "Cert Status: good" but for some reason FR
... OpenSSL...
won't accept it.
I believe it would be easy to fix this; calculate the name and key hashes for both algos and check if the response matches any one of those.
I thought I could slap you with RFC6960's section 4.3: "Clients that request OCSP services SHALL be capable of processing responses signed using RSA with SHA-256 (identified by the sha256WithRSAEncryption OID specified in [RFC4055]). "
but that one only pertains to the signature hash algorithm of the full response (which is sha256, and which does not seem to be the issue here).
So, is all that correct?
Mostly. We don't implement OCSP. OpenSSL does. We just call the OpenSSL API. If it returns "no", there's not a lot we can do. Perhaps try upgrading OpenSSL. Alan DeKok.