gpgsm and OCSP problems

Hubert Kario hka at qbs.com.pl
Wed Jul 20 18:57:09 CEST 2011


Hi all!

I'm not sure if I configure the gnupg package correctly, but when I enable 
OCSP I'm unable to validate certificates (gpgsm --with-validation -k)

When I add "enable-ocsp" to gpgsm.conf and "allow-ocsp" to dirmngr.conf I get
either "Unknown system error" or an "End of file error".
Even when the only other configuration variable is "honor-http-proxy" in 
dirmngr.conf.

I tried adding CA certificates to ".gnugp/trusted-certs/" and intermediate 
certificates together with OCSP responder server to ".gnupg/extra-certs/".
I verified that certificates are loaded by dirmngr, contain OCSP server 
addresses and that the servers are queried.

I'm using 
gpgsm (GnuPG) 2.0.17
libgcrypt 1.4.6
libksba 1.0.8

Log follows:

gpgsm[23389]: chan_9 -> [ 44 20 30 82 06 34 30 82 04 1c a0 03 02 01 02 02 ...
    (982 byte(s) skipped) ]
gpgsm[23389]: chan_9 -> [ 44 20 05 07 02 01 16 22 68 74 74 70 3a 2f 2f 77 ...
    (630 byte(s) skipped) ]
gpgsm[23389]: chan_9 -> END
dirmngr[23390]: chan_6 <- [ 44 20 30 82 06 34 30 82 04 1c a0 03 02 01 02 02
    ...(982 byte(s) skipped) ]
dirmngr[23390]: chan_6 <- [ 44 20 05 07 02 01 16 22 68 74 74 70 3a 2f 2f 77
    ...(630 byte(s) skipped) ]
dirmngr[23390]: chan_6 <- END
dirmngr[23390.0]: using OCSP responder
    `http://ocsp.startssl.com/sub/class3/client/ca'
dirmngr[23390.0]: OCSP responder at
    `http://ocsp.startssl.com/sub/class3/client/ca' status: success
dirmngr[23390]: chan_6 -> S ONLY_VALID_IF_CERT_VALID
     D9DF4E2507CB1A4E76DF761CB5505625E5E23B67
dirmngr[23390.0]: certificate status is: good  (this=20110720T120126 
     next=20110721T123920)
gpgsm[23389]: chan_9 <- S ONLY_VALID_IF_CERT_VALID
     D9DF4E2507CB1A4E76DF761CB5505625E5E23B67
dirmngr[23390]: chan_6 -> OK
gpgsm[23389]: chan_9 <- OK
gpgsm[23389]: unable to find the certificate used by the dirmngr: Unknown
     system error

-- 
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2346 bytes
Desc: not available
URL: </pipermail/attachments/20110720/dccf3627/attachment-0001.bin>


More information about the Gnupg-users mailing list