Hi,

I am having a problem using OCSP with Stunnel.

client: stunnel-5.55, server: stunnel-5.49, both using openssl-1.0.2k-fips.

When I use the openssl ocsp command it works fine e.g.:

openssl ocsp -issuer idca-rootca.pem -CAfile idca-rootca.pem -cert server-cert.pem -url http://10.0.0.166:40040

Response verify OK

server-cert.pem: good

Wireshark: OCSP request contains the server cert serial number, and OCSP response returns "certStatus: good(0)".

However, when I use Stunnel the OCSP lookup fails (Connection reset by peer), and in the Stunnel log I get:

LOG3[0]: OCSP: OCSP_basic_verify: ocsp_vfy.c:166: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted

Wireshark: OCSP request now contains the issuer (idca) instead of the server cert serial number, and the OCSP response returns "certStatus: unknown (2)".

I have tried various combinations of cert and CA pem files e.g. server cert on its own, then including idca, then including both idca and rootca. I have also tried all combinations of CA cert, even including all certs in it.

I am testing Stunnel using SSH over TLS and here are the configs:

Stunnel client config:

[ssh]

CAfile = idca-rootca.pem

cert = client-cert.pem

key = client-key.pem

accept=40010

connect=10.0.0.166:40010

verifyPeer = yes

OCSP = http://10.0.0.166:40040

Stunnel server config:

[sshd]

CAfile = idca-rootca.pem

cert = server-cert.pem

key = server-key.pem

accept = 10.0.0.166:40010

connect = 22

Appreciate any help with this problem.