Windows 7 OCSP malformed request

#1
Hi,

I couldn't get OCSP revocation check to work on Windows 7. I installed my self-signed Root and Intermediate certificates (generated using openssl 0.9.8) on my Windows 7 machine. I then go to Internet Explorer and type in the https://....com:4440. The port sends back a leaf certificate which has OCSP URL in the extension. And the leaf cert is revoked. I verified it using openssl ocsp -url http://xxx -issuer Ica.crt -cert leaf.crt -CAfile Root.crt.

In IE, type in https://....com:4440. It appears that it took some time (15 seconds) and come back with connection instead of revocation warning. Openssl OCSP responder log says "malformed request". If I ping the same from a Windows Vista machine, there is no problem.

Is there a security patch that I need to install or some settings to flip to enable this check? BTW, I do have in IE/Tools/Internet options/Advanced/Security: "check for server certificate revocation" box checked.

Thanks!
-M Plunkett
 


#2
I am using TORSEC OCSPD responder. Windws 7 client sends only HTTP GET to OCSPD, instead of HTTP GET and HTTP POST (if GET failed) as CryptAPI 2.0 does in a Windows Vista client. So, my problem is why Windows 7 client never switch to HTTP POST when HTTP GET failed.

-M Plunkett
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.