[openssl-users] OpenSSL OCSP and RFC 6960

Gena Makhomed gmm at csdoc.com
Fri Sep 14 14:30:34 UTC 2018

Hello, All!

For certificates generated by "Let's Encrypt Authority X3"
for getting ocsp response from letsencrypt I need to use such command:

# openssl ocsp -verify_other chain.pem \
                -issuer chain.pem \
                -cert cert.pem \
                -text \
                -url http://ocsp.int-x3.letsencrypt.org \
                -header "Host" "ocsp.int-x3.letsencrypt.org"


If I remove '-header "Host" "ocsp.int-x3.letsencrypt.org"'
from command line I got error:

Error querying OCSP responder
140274026829712:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server 
response error:ocsp_ht.c:314:Code=400,Reason=Bad Request

openssl ocsp utility does not send 'Host' header by default?
But why? Looks like this is bug.


If I remove '-verify_other chain.pem' from command line I got error:

Response Verify Failure
140272439146384:error:27069076:OCSP routines:OCSP_basic_verify:signer 
certificate not found:ocsp_vfy.c:92:

'man ocsp' tell what

        -verify_other file
            file containing additional certificates to search
            when attempting to locate the OCSP response signing
            certificate. Some responders omit the actual signer's
            certificate from the response: this option can be used
            to supply the necessary certificate in such cases.

But why I need to provide '-verify_other chain.pem'
with issuer certificate?

As I understand, RFC 6960 tell what only issuer certificate
is required for OCSP response verification.

Looks like this is bug in OpenSSL library / openssl ocsp utility.

Best regards,

More information about the openssl-users mailing list