Valid HTML 4.01 Transitional
Prev: X-Windows Logins Very Slow Next: X.509 Client Certificates on Firefox for Android
Jim Carter's Bugfixes

OpenSSL OCSP Bad Request

James F. Carter

You want to check by hand the revocation status of a certificate. You naively use this command line:

openssl ocsp -CApath /etc/ssl/certs -issuer startcom2.usr -verify_other startcom2.usr -cert /etc/ssl/hostcerts/hostw.crt -url -text

Explanation of options:

openssl ocsp Command and subcommand
-CApath /etc/ssl/certs For verifying TLS connections
-issuer startcom1.usr In a trust chain specify the one that actually issued the cert being checked, that is, the last intermediate certificate authority.
-verify_other startcom1.usr Usually same as -issuer, to check the signature on the response.
-cert /etc/ssl/hostcerts/hostw.crt This is the certificate you want to check.
-url To find the responder's URL, on the cert being checked do, e.g.
openssl x509 -in /etc/ssl/hostcerts/hostw.crt -noout -text
And look for the OCSP-URI extension. Non-TLS seems to be normal.
-text To produce sort-of human readable output on stdout.

But for some, not all, responders the non-response begins:

140140571887272: error: 27076072: OCSP routines: PARSE_HTTP_LINE1: server response error: ocsp_ht.c:250: Code=400,Reason=Bad Request
What's happening:

See this posting in Startcom's forum. The responder wants to use HTTP-1.1 but the openssl command does not support it.

How to fix:

Per the forum post, add this option to the openssl command line and it will adequately substitute for full HTTP-1.1 support:

-header "HOST" ""

Specify the host part of the OCSP-URI. But this isn't all you need. A successful command line was:

openssl ocsp -CAfile /etc/ssl/hostcerts/startcom.pth -issuer startcom1.usr -VAfile /etc/ssl/hostcerts/startcom.pth -cert /etc/ssl/hostcerts/hostw.crt -url -header "HOST" "" -text

Explanation of options changed from the first command line:

-CAfile /etc/ssl/hostcerts/startcom.pth To verify certificates it needs the intermediate CA cert(s) including the trust anchor (self signed root cert). I have a concatenated file of all of these, conveniently available.
-VAfile /etc/ssl/hostcerts/startcom.pth OpenSSL makes a distinction between verifying and trusting. You need to specify separately which certs are actually trustworthy in verifying the response. This replaces -verify_other.
-header "HOST" "" This is the HTTP-1.1 fixup mentioned in the forum post above.

Prev: X-Windows Logins Very Slow Next: X.509 Client Certificates on Firefox for Android