OCSP hash algorithm agility
Alan DeKok
aland at deployingradius.com
Wed Jan 11 15:44:18 CET 2017
On Jan 11, 2017, at 4:30 AM, Stefan Winter <stefan.winter at restena.lu> wrote:
> But: FreeRADIUS
... OpenSSL...
> sends the name and key hashes hashed with SHA1; my
> resonse does the hashes with SHA256.
>
> The result in debug mode is:
>
> Wed Jan 11 03:56:13 2017 : Debug: (54) eap_tls: Starting OCSP Request
> Wed Jan 11 03:56:13 2017 : Debug: (54) eap_tls: ocsp: Using responder
> URL "http://ocsp-test.hosted.eduroam.org:80/ticker/"
> Wed Jan 11 03:56:13 2017 : ERROR: (54) eap_tls: ocsp: No Status found
> Wed Jan 11 03:56:13 2017 : ERROR: (54) eap_tls: ocsp: Certificate has
> been expired/revoked
>
> The Status sits right there in the response: "Cert Status: good" but for
> some reason FR
... OpenSSL...
> won't accept it.
>
> I believe it would be easy to fix this; calculate the name and key
> hashes for both algos and check if the response matches any one of those.
>
> I thought I could slap you with RFC6960's section 4.3: "Clients that
> request OCSP services SHALL be capable of processing responses signed
> using RSA with SHA-256 (identified by the sha256WithRSAEncryption OID
> specified in [RFC4055]). "
>
> but that one only pertains to the signature hash algorithm of the full
> response (which is sha256, and which does not seem to be the issue here).
>
> So, is all that correct?
Mostly.
We don't implement OCSP. OpenSSL does. We just call the OpenSSL API. If it returns "no", there's not a lot we can do.
Perhaps try upgrading OpenSSL.
Alan DeKok.
More information about the Freeradius-Users
mailing list