[ipxe-devel] Fwd: Re: OCSP check not working correctly?

Michael Brown mbrown at fensystems.co.uk
Wed May 29 16:03:08 UTC 2013


On 29/05/13 11:15, Christian Stroehmeier wrote:
> thanks for your elaborate answer. I forwarded this to our certificate
> guys and they came up with a simple idea of a patch. I did some fixing
> so it would actually compile, and now it works for me. I am not really
> familiar with your workflow regarding patches, so I figured I just
> attach it here :)

Thanks for the patch.  It's not production-ready (it has a memory leak 
and it masks genuine OCSP errors) but it was enough to push me into 
writing a proper fix:

   http://git.ipxe.org/ipxe.git/commitdiff/0036fdd

I have tested this against your web server on 
https://groups.uni-paderborn.de/, and it does work.

I have not been able to test the code path for responder certificates 
identified by public key hash (rather than by name), since there seems 
to be no way to configure the OpenCA OCSP responder to use this form of 
responder ID.


Incidentally, your web server is providing a certificate chain which 
includes the CA root certificate ("Deutsche Telekom Root CA 2").  Web 
servers usually do not provide the CA root certificate as part of their 
certificate chain.

If you omit the CA root certificate from the web server's certificate 
chain, then iPXE will be able to obtain it automatically using the 
cross-signing mechanism, and you will no longer need to use a custom 
iPXE compiled with TRUST=deutsche-telekom-root-ca-2.crt.  Other browsers 
will not be affected.  I would recommend that you do this.

Michael



More information about the ipxe-devel mailing list