W dniu 24.06.2024 o 22:09, sbworkde@gmail.com pisze:
I want to specify OCSP responder URL while stunnel in "server" mode.
I tried to use the option "OCSP" in configuration file, but it only works in "client" mode. The OCSP responder URL is always read form AIA while stunnel is in "server" mode, even when I set "OCSPaia = no".
Is there a way to specify OCSP resonder URL for "server" mode?
Hello,
I have confirmed that both "OCSP stapling" and "OCSP client-driven" functionalities work in stunnel server mode.
Below is an example stunnel configuration.
[server] accept = 4433 exec = /usr/bin/echo execArgs = echo OK cert = server_cert.pem CAfile = CACert.pem verifyChain = yes OCSP = http://127.0.0.1:19254
[client] client = yes accept = 8080 connect = 127.0.0.1:4433 cert = client_cert.pem
Start the OCSP responder: $ openssl ocsp -index index.txt -port 19254 -rsigner interCA_ocsp.pem -CA intermediateCA.pem
Server logs: 1. OCSP Stapling: Always attempts to get the status of its own (server) certificate.
2024.07.02 14:10:16 LOG7[0]: OCSP stapling: Server callback called 2024.07.02 14:10:16 LOG5[0]: OCSP: Connecting the AIA responder "http://127.0.0.1:19254/ocsp" (...) 2024.07.02 14:10:16 LOG7[0]: OCSP: Connected 127.0.0.1:19254 2024.07.02 14:10:16 LOG7[0]: OCSP: Response received 2024.07.02 14:10:16 LOG7[0]: OCSP: Validate the OCSP response 2024.07.02 14:10:16 LOG6[0]: OCSP: Status: good 2024.07.02 14:10:16 LOG6[0]: OCSP: This update: 2024.07.02 14:10:16 2024.07.02 14:10:16 LOG5[0]: OCSP: Certificate accepted 2024.07.02 14:10:16 LOG7[0]: OCSP stapling: OCSP response sent back (...)
2. OCSP Client-Driven: Retrieves the status of the peer (client) certificate.
2024.07.02 14:10:16 LOG5[0]: OCSP: Connecting the configured responder "http://127.0.0.1:19254" (...) 2024.07.02 14:10:16 LOG7[0]: OCSP: Connected 127.0.0.1:19254 2024.07.02 14:10:16 LOG7[0]: OCSP: Response received 2024.07.02 14:10:16 LOG7[0]: OCSP: Validate the OCSP response 2024.07.02 14:10:16 LOG6[0]: OCSP: Status: good 2024.07.02 14:10:16 LOG6[0]: OCSP: This update: 2024.07.02 14:10:16 2024.07.02 14:10:16 LOG5[0]: OCSP: Certificate accepted 2024.07.02 14:10:16 LOG5[0]: OCSP: Accepted (good) 2024.07.02 14:10:16 LOG5[0]: Certificate accepted at depth=0: C=PL, O=Stunnel Developers, OU=client, CN=client, emailAddress=client@example.com (...)
$ openssl x509 -text -noout -in server_cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 54:ba:60:7b:68:3b:c0:0f:f0:2b:05:86:8d:0a:e3:3a:37:ac:85:b8 Signature Algorithm: sha256WithRSAEncryption Issuer: C = PL, O = Stunnel Developers, OU = Intermediate CA, CN = Intermediate CA Validity Not Before: Jun 12 09:28:02 2024 GMT Not After : Jun 21 09:28:02 2030 GMT Subject: C = PL, O = Stunnel Developers, OU = server, CN = server, emailAddress = server@example.com (...) X509v3 extensions: Authority Information Access: OCSP - URI:http://127.0.0.1:19254/ocsp (...)
I hope you found this helpful.
Best regards, Małgorzata Olszówka