Validation OCSP

Hi!

I’ ve a problem when I do a request from kleopatra to URL of OCSP Validation. I put URL and signature of the OCSP issuer but my certificates are not validated.

can you help me?
thanks.

Hi,

First you need Gpg4win 3.1.1 There were important fixes to OCSP and CRL checks in there.

Then in Kleopatra → Configure Kleopatra → GnuPG System → Network → “Configuration for OCSP” → Allow sending OCSP requests.

Then in the S/MIME tab → “Options controlling the security” → Check validity using OCSP.

You should not need to configure an OCSP Server manually, it should usually be part of the certificate. I’m not sure how to properly set it up with a fixed OCSP Server.

Hope this helps,
Andre

If it does not work right away it might be necessary to use the Task Manager to kill the process “dirmngr.exe” before trying again.

Hi Andree,

So, Can I configure both validation methods simultaneously ? Does it mean that the option “check validity…” only says which dirmngr uses first?

BR

Josep

I Josep,

You mean the option in Kleopatra’s S/MIME Validation config page? That is out of date now that we can do both in parallel and needs to be changed to checkboxes instead exclusive Radio buttons. Yes we can have both enabled at the same time.

If you go to GnuPG System → S/MIME you can both check “enable-crl-checks” (which are enabled by default anyway) and “Check validity using OCSP”.

I think that when a certificate has both CRL and OCSP dirmngr will use both in that case. But I’m not 100% sure.

Yes, you are right. Radio buttons are confusing. It seems excluding options.
Now I’m doing some test with a certs with OCSP validation. It seems to be some fails. Using Wireshark to look the OCSP traffic I can see the request and a positive answer but the certificate validation fails. I’ll do some more tests. I send you the certs if you like to do these tests.
I looked that when there is OCSP URL, dirmngr tries only OCSP. I didn’t see further http traffic. (ldap requires auth and there are costs associated with ldap queries). Also I send you a crl that says “Unknown mandatory policy” when I try to import using dirmngr and then list crls. Just FYI and test usage. They are from an official CA in Spain

FNMT.zip (4.08 KB)

Hi Andre

I’ve the correct configuration but I can’t validate…

These are the error of logs:

2018-05-04 16:04:02 dirmngr[6316] DBG: rsa_verify => Firma incorrecta
2018-05-04 16:04:02 dirmngr[6316] no se ha encontrado un certificado adecuado para verificar la respuesta OCSP
2018-05-04 16:04:02 dirmngr[6316] command ‘ISVALID’ failed: No hay clave pública
2018-05-04 16:04:02 dirmngr[6316] DBG: chan_0x000002ac → ERR 167772169 No hay clave pública
2018-05-04 16:04:03 dirmngr[6316] DBG: chan_0x000002ac ← [eof]
2018-05-04 16:04:03 dirmngr[6316] manejador del descriptor 684 terminado
2018-05-04 16:06:09 dirmngr[6316] starting housekeeping
2018-05-04 16:06:09 dirmngr[6316] running scheduled tasks (with network)
2018-05-04 16:06:09 dirmngr[6316] ready with housekeeping
2018-05-04 16:16:10 dirmngr[6316] starting housekeeping
2018-05-04 16:16:10 dirmngr[6316] running scheduled tasks
2018-05-04 16:16:10 dirmngr[6316] ready with housekeeping

I test success the “CA OCSP Singing Certificate” with openssl

Strange, this error says that the OCSP response is signed with an unknown certificate, maybe you have to import some extra certificate for that?

Could you also attach your test certificates here? That might help us analyzing this.

With the Test certificates attached here I also get

2018-05-07 13:47:41 dirmngr[130361.6] DBG: rsa_verify => Bad signature
2018-05-07 13:47:41 dirmngr[130361.6] no suitable certificate found to verify the OCSP response
2018-05-07 13:47:41 dirmngr[130361.6] command ‘ISVALID’ failed: No public key

Needs further analysis what is wrong there and what dirmngr does differently from other tools. I’ve opened a ticket about this so that it is not forgotten: https://dev.gnupg.org/T3966

I’ve a PKI in RedHat, I can only validate the certificates from an internal network.
I think that the Certificate OSCP response is correct because with this certificate I get response from openSSL.
This is a bug?

Hi Andree,

I send you all the certs in the chain. When I tried using openssl ocsp command and it says valid cert. I send you also a capture from wireshark. Openssl validation only requires three certs: root CA, intermediate CA and my cert. I hope help you, but it seems to have some bug…

fmnt.zip (10.8 KB)