I'm attempting configuration of mod_nss to use an OCSP responder. My
OCSP responder uses a self signed certificate (call it OCSPcert) to
sign responses, my web server uses a certificate (call it SERVERcert)
signed by a trusted CA (call it CA1cert). I also have a second
trusted CA (call it CA2cert) that has issued my client certificates
(CLIENTcert). I've setup the NSS cert database and it has what I'd
assume are the most liberal settings for the certificates mentioned.
Here are the perms on those certs.
OCSPcert CT,C,C
SERVERcert CTu,Cu,Cu
CA1cert CT,C,C
CA2cert CT,C,C
CLIENTcert (nothing in the database)
I'm experiencing the following behavior
Case 1
Configuration
NSSVerifyClient require
NSSOCSP on
Result
The server does not start.
The following show up in the apache error logs.
Certificate not verified: 'Server-Cert'
SSL Library Error: -8062 The signer of the OCSP response is not \
authorized to give status for this certificate
Unable to verify certificate 'Server-Cert'. Add \
"NSSEnforceValidCerts off" to nss.conf so the server can start \
until the problem can be resolved.
Case 2
Configuration
NSSVerifyClient require
NSSOCSP on
NSSEnforceValidCerts off
Result
The server starts but no users with valid certs can view pages.
A packet capture shows that a sucessful OCSP attempt is made to verify \
the servers certificate. Then a second OCSP attempt is made to verify \
the first client certificate and once that fails never tries again.
The following show up in the apache error log for each user attempt to \
view a web page.
Bad remote server certificate: -8071
SSL Library Error: -8071 The OCSP server experienced an internal error
SSL Library Error: -8071 The OCSP server experienced an internal error
Any suggestions on how to fix this would be greatly appreciated.
Thanks
Ahnjoan
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
