Unable to verify OCSP response

abergmann · December 17, 2015, 6:19pm

I’ve just tried to verify the OCSP response but was unable so far. The certificate itself verifies successfully on the local certificate chain, but the OCSP part is somehow broken.

Local verification:

Intermediate Certificate verification:

#> openssl verify chain1.pem 
chain1.pem: OK

Server Certificate verification via Intermediate Cert:

#> openssl verify -CAfile chain1.pem cert1.pem 
cert1.pem: OK

And the local Root CA Certificate:

#> openssl x509 -noout -issuer_hash -in chain1.pem 
2e5ac55d
#> ls -l /etc/ssl/certs/2e5ac55d* | cut -d ' ' -f 9-11
/etc/ssl/certs/2e5ac55d.0 -> DST_Root_CA_X3.pem

So all certificates for the chain are there and working fine (locally).

Now the OCSP Verification:

First extract the OCSP URI from the server certificate:

#> openssl x509 -noout -ocsp_uri -in cert1.pem 
http://ocsp.int-x1.letsencrypt.org/

Now we use this URI in our OCSP request line:

#> openssl ocsp -no_nonce \
-header Host ocsp.int-x1.letsencrypt.org \
-url http://ocsp.int-x1.letsencrypt.org/ \
-issuer chain1.pem \
-CAfile chain1.pem \
-cert cert1.pem
Response Verify Failure
140406376715920:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:85:
cert1.pem: good
    This Update: Dec 15 22:00:00 2015 GMT
    Next Update: Dec 22 22:00:00 2015 GMT

As you can see, the certificate was proven good, but the response could not be verified.

The extended output shows a bit more information of what’s going on.

Here’s the OCSP Request that was sent to the OCSP responder:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: BC5772E2797C56E39994598D75A4A3D24C4C85C5
          Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
          Serial Number: ****

And the OCSP Response that was received:

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
    Produced At: Dec 15 22:30:00 2015 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: BC5772E2797C56E39994598D75A4A3D24C4C85C5
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: ****
    Cert Status: good
    This Update: Dec 15 22:00:00 2015 GMT
    Next Update: Dec 22 22:00:00 2015 GMT

    Signature Algorithm: sha256WithRSAEncryption

Now comes a biggie. The OCSP Responder Id is the “CN = Let’s Encrypt Authority X1” certificate. In other words the intermediate certificate we have locally. Unfortunately this certificate does not have the X509v3 Extended Key Usage support for OCSP Signing.

Usually a special OCSP responder certificate is signed by the intermediate certificate and then used for OCSP response signing. It then is attached to the OCSP response so that the whole cert chain can be verified.

I’ve tested the whole steps with the certificate from http://wikipedia.org and everything is working fine over there.

kerio · December 17, 2015, 7:06pm

I believe it’s done on purpose, to reduce the size of the OCSP responses and to avoid having to build a whole new trust chain on the client. I’m not sure if they’re allowed to sign OCSP responses without the OCSP Signing key usage, though.

jsha · December 17, 2015, 7:22pm

That is correct. And the OCSP Signing key usage is only required for dedicated OCSP signing certs. Signing OCSP directly from the issuer doesn't require additional extensions.

abergmann · December 17, 2015, 7:36pm

Interesting, I didn't know that the issuer certificate can be used directly. Have to test this.

Okay, in that case one question still remains. Why is the above openssl ocsp command not coming back with a Response verify OK message?

jsha · December 17, 2015, 8:45pm

I believe you need to add -verify_other chain1.pem.

abergmann · December 17, 2015, 8:57pm

Nice one. It's working perfectly now. Thanks!