using an ocsp

26 Mar 2007

      Hello,

I am using stunnel 4.18 and openca-ocspd 1.5.1. The OCSPd uses a delegate
certificate and the setup works when tested with openssl:

$ openssl ocsp -issuer /home/landau/ssl/cacert.pem -serial 3 -url
http://localhost:2560 -CAfile /home/landau/ssl/cacert.pem
Response verify OK
3: good
        This Update: Mar 23 18:27:37 2007 GMT
        Next Update: Mar 26 10:56:33 2007 GMT

But when it comes to using stunnel, I cannot figure out how to make it use
properly the OCSP. I could see that stunnel 4.19 had more options for ocsp, but
I am unsure this is related to my current issue.

Besides, is there a way to have stunnel fall back on local cert/crl files if the
ocsp server is not available ?

Regards,

-- 
Samuel Landau

____________________________________________________________________________

This  email  and any  files  transmitted  with it are  confidential  and are
intended solely  for the use of the individual  or entity to which  they are
addressed.  Access to this e-mail by anyone else is unauthorised. If you are
not the  intended recipient,  any disclosure,  copying,  distribution or any
action taken or omitted to be taken in reliance on it, is prohibited. E-mail
messages are not necessarily secure.  Archos does not accept  responsibility
for any changes made to this message after it was sent.

2007.03.26 12:59:05 LOG5[29250:3083020512]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
2007.03.26 12:59:05 LOG5[29250:3083020512]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2007.03.26 12:59:05 LOG6[29250:3083020512]: file ulimit = 1024 (can be changed with 'ulimit -n')
2007.03.26 12:59:05 LOG6[29250:3083020512]: poll() used - no FD_SETSIZE limit for file descriptors
2007.03.26 12:59:05 LOG5[29250:3083020512]: 500 clients allowed
2007.03.26 12:59:05 LOG7[29250:3083020512]: FD 4 in non-blocking mode
2007.03.26 12:59:05 LOG7[29250:3083020512]: FD 5 in non-blocking mode
2007.03.26 12:59:05 LOG7[29250:3083020512]: FD 6 in non-blocking mode
2007.03.26 12:59:05 LOG7[29250:3083020512]: SO_REUSEADDR option set on accept socket
2007.03.26 12:59:05 LOG7[29250:3083020512]: server bound to 127.0.0.1:12345
2007.03.26 12:59:05 LOG7[29250:3083020512]: Created pid file /home/landau/stunnel4.pid
2007.03.26 12:59:12 LOG7[29250:3083020512]: server accepted FD=7 from 127.0.0.1:36200
2007.03.26 12:59:12 LOG7[29250:3082972080]: server started
2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 7 in non-blocking mode
2007.03.26 12:59:12 LOG7[29250:3082972080]: TCP_NODELAY option set on local socket
2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 8 in non-blocking mode
2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 9 in non-blocking mode
2007.03.26 12:59:12 LOG7[29250:3083020512]: Cleaning up the signal pipe
2007.03.26 12:59:12 LOG6[29250:3083020512]: Child process 29252 finished with code 0
2007.03.26 12:59:12 LOG7[29250:3082972080]: Connection from 127.0.0.1:36200 permitted by libwrap
2007.03.26 12:59:12 LOG5[29250:3082972080]: server connected from 127.0.0.1:36200
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): before/accept initialization
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 read client hello A
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 write server hello A
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 write certificate A
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 write certificate request A
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 flush data
2007.03.26 12:59:12 LOG6[29250:3082972080]: *** starting OCSP verification ***
2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 8 in non-blocking mode
2007.03.26 12:59:12 LOG7[29250:3082972080]: connect_wait: waiting 10 seconds
2007.03.26 12:59:12 LOG7[29250:3082972080]: connect_wait: connected
2007.03.26 12:59:12 LOG7[29250:3082972080]: OCSP server connected
2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 8 in blocking mode
2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 8 in non-blocking mode
2007.03.26 12:59:12 LOG6[29250:3082972080]: OCSP response received
2007.03.26 12:59:12 LOG3[29250:3082972080]: OCSP_basic_verify: 27069076: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL alert (write): fatal: certificate unknown
2007.03.26 12:59:12 LOG3[29250:3082972080]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2007.03.26 12:59:12 LOG5[29250:3082972080]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2007.03.26 12:59:12 LOG7[29250:3082972080]: server finished (0 left)
2007.03.26 12:59:16 LOG3[29250:3083020512]: Received signal 2; terminating
2007.03.26 12:59:16 LOG7[29250:3083020512]: removing pid file /home/landau/stunnel4.pid

cert		= landau.pem
key		= landau.key
sslVersion	= SSLv3
pid		=/home/landau/ssl/stunnel4.pid
socket		=l:TCP_NODELAY=1
socket		=r:TCP_NODELAY=1
compression	=zlib
foreground	=yes
verify		=3
CApath		=/home/landau/ssl/
CAfile		=/home/landau/ssl/cacert.pem
debug		=7
output		=/home/landau/ssl/stunnel4.log
client		=no
[server]
accept		=localhost:12345
ocsp		=http://localhost:2560
pty		=no
exec		=/bin/bash
execargs	=bash

Samuel Landau

tags

participants (1)