Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

OCSP proxying

Owned by Ann Base (Deactivated)
Last updated: Nov 04, 2024 by Ylva AnderssonVersion comment
1 min read

This article describes proxying used in Nexus OCSP Responder. Proxying is configured through responders. For more information, see OCSP responder section.

Example 1

In this example, two urlcheck parameters are configured in succession.

  • If the OCSP request contains a serviceLocator extension, that is, if the queried certificate contains an authorityInformationAccess extension, specifying an OCSP URL, this URL will be used in first hand. 

  • If no such URL exists, or if the response is not considered valid, Nexus OCSP Responder will check if the certificate is issued by the Acme TrustCenter CA using a hardcoded URL for revocation information.

In the OCSP configuration file, specify as follows:

ocsp.client.urlcheck.1=servicelocator ocsp.client.urlcheck.2=table ocsp.client.urlcheck.2.table.1.issuermatch=*o=Acme* ocsp.client.urlcheck.2.table.1.url=http://ocsp.acme.com/ca01

Example 2

In this example, a forwarding responder is configured, that will forward requests to another responder and return responses as lenient as possible by allowing all issuers and disabling verification of the response.

  • In the OCSP configuration file, specify as follows:

    responder.1.type=basic responder.1.url=http://*:80 responder.1.workers=5 responder.1.signer.1.issuerdn=cn=Dummy CA,c=SE responder.1.signer.1.certificate=cn=Dummy OCSP Signer,c=SE responder.1.signer.1.pin=secretPIN1234 responder.1.forwarding.enabled=true responder.1.forwarding.onlyforissuer.1=* responder.1.forwarding.client.urlcheck.1=table responder.1.forwarding.client.urlcheck.1.table.1.issuermatch=* responder.1.forwarding.client.urlcheck.1.table.1.url=http://ocsp.acme.com responder.1.forwarding.client.response.allowunknown=true responder.1.forwarding.client.response.signature.check=false

Each responder needs a signer to operate, but not necessarily a valid one. If the responder is only to forward, any signer can be entered as long as its CA is present in the trust store.

Example 3

In this example, a forwarding responder is configured, that will forward requests using client authentication during SSL handshake.

  • In the OCSP configuration file, specify as follows:

    responder.1.type=basic responder.1.url=http://*:8080/forwardclientssl responder.1.workers=5 responder.1.signature.chain=cert responder.1.signer.1.issuerdn=cn=Dummy OCSP CA,c=SE responder.1.signer.1.certificate=cn=Dummy OCSP Signer,c=SE responder.1.signer.1.pin=1234 responder.1.forwarding.enabled = true responder.1.forwarding.onlyforissuer.1 = * responder.1.forwarding.client.urlcheck.1 = table responder.1.forwarding.client.urlcheck.1.table.1.url = https://otherresponder:8444 responder.1.forwarding.client.urlcheck.1.table.1.issuermatch = * responder.1.forwarding.client.authentication.key.certificate=c=SE,cn=SSL Client responder.1.forwarding.client.authentication.key.pin=1234

Related information

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions