From stappers at stappers.nl Wed Nov 1 20:58:38 2023 From: stappers at stappers.nl (Geert Stappers) Date: Wed, 1 Nov 2023 21:58:38 +0100 Subject: [ipxe-devel] ipxe.org OSCP server check In-Reply-To: <0102018b825772c7-cde503f7-ebf5-462d-ab3c-8bdbf307552f-000000@eu-west-1.amazonses.com> References: <0102018a5fecaa44-7ede61b2-1f5e-4144-9f7f-4d530da8d470-000000@eu-west-1.amazonses.com> <0102018b825772c7-cde503f7-ebf5-462d-ab3c-8bdbf307552f-000000@eu-west-1.amazonses.com> Message-ID: On Mon, Oct 30, 2023 at 08:47:31PM +0000, Geert Stappers via ipxe-devel wrote: > On Mon, Sep 04, 2023 at 11:21:00AM +0000, Michael Brown via ipxe-devel wrote: > > > > When using the openssl tools, you need to specify the iPXE root CA as the > > root of trust in order to match iPXE's verification results. For the ocsp > > subcommand, the relevant option is "-CAfile". For example: > > > > $ wget -q https://ca.ipxe.org/ca.crt > > $ wget -q https://ca.ipxe.org/cross-ca.crt > > $ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt > > > > $ openssl ocsp -CAfile ca.crt -issuer ca.crt \ > > -cert cross-ca.crt \ > > -url http://ocsp.ipxe.org/ocsp/root/ > > Response verify OK > > cross-ca.crt: good > > This Update: Sep 1 11:01:57 2023 GMT > > Next Update: Sep 4 11:22:25 2023 GMT > > > > $ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \ > > -cert cross-gts-root-r4.crt \ > > -url http://ocsp.ipxe.org/ocsp/cross/ > > Response verify OK > > cross-digicert-assured-id-root-ca.crt: good > > This Update: Sep 1 11:02:47 2023 GMT > > Next Update: Sep 4 11:22:43 2023 GMT > > > > Ah, thanks, for future "copy and paste": > > --------8<---8<---8<------- > > wget -q https://ca.ipxe.org/ca.crt > wget -q https://ca.ipxe.org/cross-ca.crt > wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt > > ls -ltr *.crt > > openssl ocsp -CAfile ca.crt -issuer ca.crt \ > -cert cross-ca.crt \ > -url http://ocsp.ipxe.org/ocsp/root/ > > openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \ > -cert cross-gts-root-r4.crt \ > -url http://ocsp.ipxe.org/ocsp/cross/ > > echo rm *.crt > > --------8<---8<---8<------- > > Output I got today: > > > -rw-r--r-- 1 stappers stappers 1383 18 mrt 2012 ca.crt > -rw-r--r-- 1 stappers stappers 1229 29 feb 2016 cross-ca.crt > -rw------- 1 stappers stappers 1180 1 okt 10:36 cross-gts-root-r4.crt > Response verify OK > cross-ca.crt: good > This Update: Oct 1 08:01:19 2023 GMT > Next Update: Oct 30 20:39:51 2023 GMT > Response verify OK > cross-gts-root-r4.crt: good > This Update: Oct 1 08:36:38 2023 GMT > Next Update: Oct 30 20:39:51 2023 GMT > rm ca.crt cross-ca.crt cross-gts-root-r4.crt > > > > Groeten > Geert Stappers > Back in a few days -rw-r--r-- 1 stappers stappers 1383 18 mrt 2012 ca.crt -rw-r--r-- 1 stappers stappers 1229 29 feb 2016 cross-ca.crt -rw-r--r-- 1 stappers stappers 1180 1 nov 13:39 cross-gts-root-r4.crt Response verify OK cross-ca.crt: good This Update: Nov 1 11:59:31 2023 GMT Next Update: Nov 1 19:37:17 2023 GMT Response verify OK cross-gts-root-r4.crt: good This Update: Nov 1 12:39:02 2023 GMT Next Update: Nov 1 19:37:17 2023 GMT Groeten Geert Stappers -- Silence is hard to parse