[openssl-users] OCSP service dependant on time valid CRLs

Erwann Abalea Erwann.Abalea at docusign.com
Thu Dec 10 18:58:23 UTC 2015


The OCSP responder can respond « unknown » if it doesn’t know the status of the requested certificate. « Unknown » can generally not be used when the issuer is not known, because such a response is signed, and if the responder doesn’t know about the issuer, it can’t choose its own certificate to use to sign the response.

If your OCSP responder is CRL based, and the CRL is not valid (badly encoded, wrong signature, incomplete in scope, expired, whatever…), « unknown » is a correct answer. « revoked » is also a correct answer if an expired CRL is found declaring the requested certificate as revoked. « tryLater » is also a correct answer, even « internalError » if we consider the CRL as part of the internal state of the responder.

Erwann Abalea
erwann.abalea at docusign.com<mailto:erwann.abalea at docusign.com>

Le 10 déc. 2015 à 18:29, socket <danbryan80 at gmail.com<mailto:danbryan80 at gmail.com>> a écrit :

Hi Walter,

I agree with your addition regarding the fact that it is not saying the cert is good, it's saying unknown. However, my understanding of the RFC is that unknown should be returned when the OCSP service does not know about the certificate issuer. I'm not sure that's the case.

Regarding the response verification, we are used the CA Designated Responder (Authorized Responder). meaning that the issuer of serial 0x500c8bd was the same issuer of the OCSP Signing response (ABC CA3 DEV). However, my testing shows that this only affects the "response verification (OK/FAILED)" not the certificate status returned (good/revoked/unknown).


On Thu, Dec 10, 2015 at 11:36 AM Walter H. [via OpenSSL] <[hidden email]<x-msg://5/user/SendEmail.jtp?type=node&node=61622&i=0>> wrote:
Hi Dan,

On 10.12.2015 16:27, daniel bryan wrote:
TEST #2: Next test was using OCSP:

[dan at canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem -VAfile VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer -cert CERTS/0x500c8bd-revoked.pem -url http://ocspresponder:8080<http://ocspresponder:8080/>

Response verify OK
CERTS/0x500c8bd-revoked.pem: unknown
This Update: Dec 9 20:48:26 2015 GMT

as you can see the client was NOT informed the certificate was revoked.
and also that it is not good -> unknown, revoked and good are the 3 values ...

We are using a 3rd party vendors OCSP service, and I am of the opinion that an OCSP service should provide a revoked response regardless of the time validity of the CRL.
does the OCSP responder cert be the signing cert itself or was it signed by the same signing cert that signed the cert you want to validate?

or specific to your sample: did CAS/IC\ ABC\ CA3\ DEV.cer sign both CERTS/0x500c8bd-revoked.pem and the OCSP responder cert (VAS/def_ocsp.pem)?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151210/4c2a6641/attachment.html>

More information about the openssl-users mailing list