[ipxe-devel] Fwd: Re: OCSP check not working correctly?
Michael Brown
mbrown at fensystems.co.uk
Wed May 29 16:03:08 UTC 2013
On 29/05/13 11:15, Christian Stroehmeier wrote:
> thanks for your elaborate answer. I forwarded this to our certificate
> guys and they came up with a simple idea of a patch. I did some fixing
> so it would actually compile, and now it works for me. I am not really
> familiar with your workflow regarding patches, so I figured I just
> attach it here :)
Thanks for the patch. It's not production-ready (it has a memory leak
and it masks genuine OCSP errors) but it was enough to push me into
writing a proper fix:
http://git.ipxe.org/ipxe.git/commitdiff/0036fdd
I have tested this against your web server on
https://groups.uni-paderborn.de/, and it does work.
I have not been able to test the code path for responder certificates
identified by public key hash (rather than by name), since there seems
to be no way to configure the OpenCA OCSP responder to use this form of
responder ID.
Incidentally, your web server is providing a certificate chain which
includes the CA root certificate ("Deutsche Telekom Root CA 2"). Web
servers usually do not provide the CA root certificate as part of their
certificate chain.
If you omit the CA root certificate from the web server's certificate
chain, then iPXE will be able to obtain it automatically using the
cross-signing mechanism, and you will no longer need to use a custom
iPXE compiled with TRUST=deutsche-telekom-root-ca-2.crt. Other browsers
will not be affected. I would recommend that you do this.
Michael
More information about the ipxe-devel
mailing list