[ssh_x509] OCSP validation request to all the certificate in chain except root CA certificate

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed May 6 19:44:20 EEST 2020


Hi Mohit,

ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
>
> I have tried adding the ssh_ocsp_validate() in ssh_x509store_cb after
> statement check for revoked

I start to think that this place could be risky to perform ocsp requests.
I guess that verification could enter into endless loop.


>   but I am unable to get the issuer
> certificate for user certificate because of which OCSP validation is
> failing for user certificate and even OCSP request is not sent for user
> certificate. Kindly find below logs from sshd and suggest solution to fix
> this issue.
>
> debug3: ssh_ocsp_validate: for root CA
> debug3: ssh_ocsp_validate4cert: no OCSP 'Service Locator' URL    .>> root
> Certificate no OCSP URL
>
> debug3: ssh_ocsp_validate: for Intermediate CA
> debug3: ssh_ocsp_get_basicresp: OK                             >>
> Intermediate certificate which is validated successfully by OCSP.
> debug3: ssh_ocsp_check_validity: cert[0]=''
> debug1: ssh_ocsp_check_validity: status=good
> debug3: ssh_ocsp_check_validity: This Update=May 5 13:35:46 2020 GMT
> debug3: ssh_ocsp_check_validity: return 1
> debug3: ssh_ocsp_validate4cert: validation result=1
>
> debug3: ssh_ocsp_validate: for User certificate
> ssh_ocspreq_addcert: cannot found issuer certificate     >> user
> certificate, I am getting this error.
> debug3: ssh_ocsp_validate4cert: validation result=-1

No idea without to know more details .
CACertificatePath or CACertificateFile should contain certificates.
Also https://securebox.termoneplus.com/man5/ssh_config.5.html#VACertificateFile could be used .


> Thanks & Regards
> Mohit Gupta
>
> On Fri, May 1, 2020 at 9:01 PM <ssh_x509 at roumenpetrov.info> wrote:
[SNIP]

>> Also you could call X509_STORE_CTX_get1_chain. If PKIX-SSH code where is
>> called ssh_ocsp_validate the chain is "complete and validated", i.e.
>> ssh_verify_cert call X509_verify_cert and result is positive.
Now I think that this is the only reliable solution, i.e. in method ssh_x509store_verify_cert().


Regard,
Roumen Petrov



More information about the ssh_x509 mailing list