KB Article #178503
DV reports a "request response mismatch" when doing OCSP validation
Problem
DV produces an error similar to the following:
D: [01/Jan/2017 00:00:00.000 +0000] Internal Error:83068072 Library:vcopenssl routines Function:OCSP_BASICRESP_VERIFY_ALL Reason:request response mismatch Source File:src\ocsp\vcocspresp.c (594)
This problem may occur when a pre-4.12.1 DV connects to VA 4.12.1 or when DV 4.12.1 connects to a pre-4.12.1 VA.
Resolution
This may indicate a mismatch between the request and response signature algorithms. DV's CertIDHash may need to be configured so that the request algorithm matches the response algorithm. This setting is described in the admin guide as follows:
The default cert ID hash algorithm instructs Desktop Validator which hash algorithm to use when generating the issuing information for the certificate for which the status is being requested. The algorithm does not affect the signature algorithm of the response, that is determined by the issuing CA. This setting affects backward compatibility with versions of Validation Authority Responder prior to 4.12.1. Previous versions only supported SHA1.
The default cert ID hash algorithm is SHA1. To configure Desktop Validator to use a different cert ID hash algorithm, edit the registry:
HKEY_LOCAL_MACHINE/SOFTWARE/Tumbleweed/Desktop Validator/Validation
* CertIdHash
CertIdHash can be set to:
SHA224 (0x00000001)
SHA256 (0x00000002)
SHA384 (0x00000003)
SHA512 (0x00000004)
CertIdHash defaults to 0 (0x00000000) in the key to indicate that SHA1 will be used as the cert ID hash algorithm. If this entry is not present in the registry, a value of SHA1 will be assumed by default.