SSSD OCSP verfification failed
by Alvarez, Angelo CIV USN JOINT TYPHOON WARCEN (USA)
Aloha. We are trying to get OCSP verification working with RHEL 8 SSSD. The
OCSP responder CA is not in the trust chain of the CA that issued the smart
card certificates. I was able to get openssl ocsp verification to work
using "-verify_other" and "-trust_other" options.
[root@c27nmgmtjtprlh1 PKI]# openssl ocsp -issuer DOD_ID_CA-63.pem
-verify_other NAWEPRLHRD12.pem -trust_other -cert ~alvareza/alvarez.pem -url
http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx -respout -text
WARNING: no nonce in response
Response verify OK
/home/alvareza/alvarez.pem: good
This Update: May 9 00:00:00 2024 GMT
Next Update: May 15 06:16:18 2024 GMT
I tried to perform OCSP verification with the SSSD p11_child helper, but it
does not work. Does anyone know if the "Direct Trust" model for OCSP works
with RHEL 8 SSSD?
[root@c27nmgmtjtprlh1 pki]# /usr/libexec/sssd/p11_child --dumpable=1
--debug-microseconds=0 --debug-timestamps=1 --debug-fd=22 --debug-level=9
--verification --verify
ocsp_dgst=sha1,ocsp_default_responder=http://repeater1.xxxxx.xxxxx.xxxx.xxxx
.xxxx --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --certificate=$(cat
/home/alvareza/alvarez.pem | grep -v BEGIN | grep -v END | tr -d "\n")
set_debug_file_from_fd failed.
(2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0400): p11_child
started.
(2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running in
[verify] mode.
(2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running with
effective IDs: [0][0].
(2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running with
real IDs [0][0].
(2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts]
(0x4000): Using sha1 for OCSP.
(2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts]
(0x4000): Using OCSP default responder
[http://repeater1.prlh.nadsuswe.nads.navy.mil]
(2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x4000): Using OCSP
URL [http://repeater1.prlh.nadsuswe.nads.navy.mil].
(2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): No nonce in
OCSP response. This might indicate a replay attack or an OCSP responder
which does not support nonces. Accepting response.
(2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020):
OCSP_basic_verify() failed to verify OCSP response.
(2024-05-09 8:07:24): [p11_child[2817468]] [do_verification] (0x0040):
do_ocsp failed.
(2024-05-09 8:07:24): [p11_child[2817468]] [do_work] (0x0400): Certificate
is NOT valid.
22
(2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0020): p11_child
failed (22)
v/r
Angelo Alvarez, CISSP
N6
Joint Typhoon Warning Center
Work: 808.471.3645
Mobile: 808.389.9474
Email: angelo.alvarez(a)navy.mil <mailto:angelo.alvarez@navy.mil>
SiPR Email: angelo.alvarez(a)navy.smil.mil
<mailto:angelo.alvarez@navy.smil.mil>
"!No contaban on mi astucia!" - El Chapulin Colorado