[squid-users] Possible Bug in squid? [Fwd: Re: [openssl-users] Problem checking certificate with OCSP]

Walter H. walter.h at mathemainzel.info
Tue Oct 6 05:17:02 UTC 2015


Hello could the following be the reason why

https://revoked.grc.com/

doesn't get any errors, when using SSL-Bump?

Thanks,
Walter

---------------------------- Original Message ----------------------------
Subject: Re: [openssl-users] Problem checking certificate with OCSP
From:    "Dr. Stephen Henson" <steve at openssl.org>
Date:    Mon, October 5, 2015 17:11
To:      openssl-users at openssl.org
--------------------------------------------------------------------------

On Mon, Oct 05, 2015, Walter H. wrote:

> Hello,
>
> attached is the certificate and its chain of  https://revoked.grc.com/
>
> doing this:
>
> openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url
> http://ocsp2.globalsign.com/gsdomainvalg2
>
> goves the following:
>
> OCSP Request Data:
>     Version: 1 (0x0)
>     Requestor List:
>         Certificate ID:
>           Hash Algorithm: sha1
>           Issuer Name Hash: 45658DA20174402FF48B3A6AC0BC69208095C7CA
>           Issuer Key Hash: 96ADFAB05BB983642A76C21C8A69DA42DCFEFD28
>           Serial Number: 112155688D380775DA34C5DF97433ED3F6A7
> Error querying OCSP responsder
> 139928584042312:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server
response
> error:ocsp_ht.c:250:Code=403,Reason=Forbidden
>
> where is the problem for this strange error?
>

Some OCSP responders need the host header, try adding:

	 -header Host ocsp2.globalsign.com

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




More information about the squid-users mailing list