[ipxe-devel] OCSP check not working correctly?

Michael Brown mbrown at fensystems.co.uk
Tue May 28 10:17:26 UTC 2013 

On Monday 27 May 2013 12:40:23 Christian Stroehmeier wrote:
> I am currently tasked with porting all our legacy pxe installations to
> ipxe. To authenticate we have a restricted area on a webserver and get
> the ipxe script via HTTPS.
> This worked very well and straightforward, until that webserver got a
> new certificate which now offers OCSP.
> Somehow the OCSP request ipxe sends does not work (works in Firefox, so
> the responder should be set up correctly).
> Any insights on that? I compiled ipxe with all three relevant
> CA/intermediate certificates relevant, and DEBUG=x509:3,ocsp:3 resulted
> in the log attached to this mail.
> The webserver in question is https://groups.uni-paderborn.de/, feel free
> to try it yourself.
> 
> I am completely unfamiliar with OCSP and have only basic knowledge of
> SSL, so any help would be appreciated.

It seems as though your OCSP response includes several certificates:

  CN=DFN-Verein PCA Global - G01
  CN=Universitaet Paderborn CA - G01
  CN=PN: OCSP-Responder (the OCSP signing cert)

The OCSP data structure does allow for multiple certificates, but RFC2560 
mandates that the OCSP signing certificate must either be the original cert's 
issuer, or must be directly signed by the original cert's issuer.  iPXE 
therefore assumes (in ocsp_parse_certs()) that there is exactly one certificate 
to be parsed from the OCSP response, since any other certificates would be 
either invalid or extraneous.

iPXE is thus taking the first certificate ("DFN-Verein PCA Global - G01") from 
the OCSP response and attempting to use that as the OCSP signing certificate.  
This fails, since that certificate is not the one used for OCSP signing.

You can work around the problem by ensuring that your OCSP responder includes 
only its own certificate ("PN: OCSP-Responder"), or by ensuring that this 
certificate is first in the certificate chain.

Alternatively, patches to automatically identify the signing cert via the 
"Certificate ID" field of the OCSP response data are welcome!

Michael

More information about the ipxe-devel mailing list