1 (edited by j3ll3 2020-09-11 06:03:04)

Topic: Server with support for OCSP stapling

For evaluation of wolfSSL I am trying to create a server that supports OCSP stapling.

I expect that the server starts and will send an OCSP request to the OCSP responder so it can cache the OCSP response and staple it to the the certficate when a client connects.

It is the equivalent of the openssl function which works:
openssl s_server -CAfile ~/workspace/v2g_pki/v2g_root/certs/v2g_root.cert.pem -key ~/workspace/v2g_pki/cpo_sub_1/private/cpo_sub_1.key.pem -cert ~/workspace/v2g_pki/cpo_sub_1/certs/cpo_sub_1.cert.pem -accept 11111 -status_verbose

Steps that I made:

1. Compile WolfSSL V4.5.0 on Linux with configuration: --enable-ocsp --enable-ocspstapling2 --enable-debug
2. Created my own PKI with:
- A root certificate
- An OCSP responder certificate (signed by the root CA)
- An intermediate certificate with an OCSP URI to the OCSP responder (signed by the root CA)
3. I verified the PKI with openssl and everything works as expected.
4. I have an OCSP responder running with openssl
5. I have the wolfSSL server running from the examples with: ./server -c ~/workspace/v2g_pki/cpo_sub_1/certs/cpo_sub_1.cert.pem -k ~/workspace/v2g_pki/cpo_sub_1/private/cpo_sub_1.key.pem -A ~/workspace/v2g_pki/v2g_root/certs/v2g_root.cert.pem -d -b
6. Now I run the wolfSSL client (also from the example) to connect to the wolfSSL server with: ./client -h 192.168.2.183 -A ~/v2g_root.cert.pem -x (this works as expected).
7. When I run now the client with OCSP stapling enabled (./client -W 3 -h 192.168.2.183 -A ~/v2g_root.cert.pem -x) I get the following error on the wolfSSL server:

wolfSSL Leaving SendCertificate, return 0
accept state CERT_SENT
wolfSSL Entering SendCertificateStatus
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
No CA signer to verify with
ParseCert failed
wolfSSL Entering FreeOcspRequest
wolfSSL Leaving SendCertificateStatus, return -188
wolfSSL error occurred, error = -188
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -188
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -188
wolfSSL Entering ERR_error_string
SSL_accept error -188, ASN no signer error to confirm failure
wolfSSL error: SSL_accept failed

I made a trace with wireshark and I can't see any OCSP requests/responses. The TLS connection is setup with a Client Hello, Server Hello and Certificate message but then the server closes the TCP connection.
Now I am stuck with the error code 188. Does anyone have any suggestions?

Thank you in advance.

Share

Re: Server with support for OCSP stapling

Hi j3ll3,

The -188 error indicates the certificate could not be tied back to a trusted CA. Perhaps a missing intermediate? Is it possible to share the wireshark and the certificates used? If you'd like to send them directly you can use support@wolfssl.com.

Thanks,
David Garske, wolfSSL

Share

3 (edited by j3ll3 2020-09-14 13:00:35)

Re: Server with support for OCSP stapling

Hello David,

Thank you for the reply. Attached I have the requested wireshark trace and certificates to reproduce the problem.
Please let me know if you need anything else.

The OCSP responder runs with openssl on ocsp-responder.local with the following command:
openssl ocsp -index ~/ocsp_root_responder/index.txt -port 8080 -rsigner ~/ocsp_root_responder/ocsp_root.cert.pem -rkey ~/ocsp_root_responder/ocsp_root.key.pem -CA /~/ocsp_root_responder/v2g_root.cert.pem -text -ndays 7

Post's attachments

ocsp_server.zip 4.02 kb, 1 downloads since 2020-09-14 

You don't have the permssions to download the attachments of this post.

Share

Re: Server with support for OCSP stapling

Hi j3ll3,

I found a couple things.

1. The wolfSSL example server will not load the "-A v2g_root.cert.pem" if "-d" is provided. Without the CA loaded it will not be able to setup an OCSP certificate request.

2. Looks like you will need to load the -A as a chain for now. Two PEM's combined with Int CA -> Root CA. I put up a fix for this issue here:
https://github.com/wolfSSL/wolfssl/pull/3299

3. The example/server/server loads internal OCSP certificates for testing that may throw off your test. Feel free to comment out that section for testing. https://github.com/wolfSSL/wolfssl/blob … er.c#L2065

Here is the tests I ran that worked:

openssl ocsp -index index.txt -port 8080 -rsigner ocsp_root.cert.pem -rkey ocsp_root.key.pem -CA v2g_root.cert.pem -text -ndays 7

./examples/server/server -c cpo_sub_1.cert.pem -k cpo_sub_1.key.pem -A v2g_root.cert.pem -b -o
openssl s_server -cert cpo_sub_1.cert.pem -key cpo_sub_1.key.pem -CAfile v2g_root.cert.pem -accept 11111 -status_verbose

./examples/client/client -A v2g_root.cert.pem -x -W 3

Thanks,
David Garske, wolfSSL

Share