OCSP stapling issues with httpd(8) and ocspcheck(1)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OCSP stapling issues with httpd(8) and ocspcheck(1)

martian
Hello, I am attempting to enable OCSP stapling with httpd, however when
clients attempt to verify said signature, they fail.

My process for generating the staplefile is as follows:

# ocspcheck -N -o /etc/ssl/ocsp/xxxx.com.der \
                /etc/ssl/private/xxxx.com.fullchain.pem


This appears to generate a valid OCSP responsefile as verified by
ocsptool(1):


# cat /etc/ssl/ocsp/xxxx.com.der  | ocsptool --response-info
OCSP Response Information:
         Response Status: Successful
         Response Type: Basic OCSP Response
         Version: 1
         Responder ID: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
         Produced At: Tue May 09 10:51:00 UTC 2017
         Responses:
             Certificate ID:
               Hash Algorithm: SHA1
               Issuer Name Hash: 7ee66ae7729ab3fcf8a220646c16a12d6071085d
               Issuer Key Hash: a84a6a63047dddbae6d139b7a64565eff3a8eca1
               Serial Number: 04dbfc34be721f3824e59ada8489c6c00492
                 Certificate Status: good
                 This Update: Tue May 09 10:00:00 UTC 2017
                 Next Update: Tue May 16 10:00:00 UTC 2017
         Extensions:


However when I add in an OCSP directive into http.conf(5) in order to
enable stapling, it seems OCSP verification fails:

# cat /etc/httpd.conf
server "xxxx.com" {
         listen on * tls port 443
         tls {
                 certificate "/etc/ssl/private/xxxx.com.fullchain.pem"
                 key "/etc/ssl/private/xxxx.com.key"
                 ocsp "/etc/ssl/ocsp/xxxx.com.der"
         }
}


# nc -zvc xxxx.com 443
Connection to xxxx.com 443 port [tcp/https] succeeded!
nc: tls handshake failed (ocsp verify failed: no result for cert)


Firefox also gives an error of:
An error occurred during a connection to xxxx.com. The OCSP response
does not include a status for the certificate being verified. Error
code: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING


Both work when the ocsp directive is removed from http.conf(5).


openssl(1) s_client confirms that the OCSP response is being sent:

# openssl s_client -connect xxxx.com:443 -tlsextdebug  -status
-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----
OCSP response:
======================================
OCSP Response Data:
     OCSP Response Status: successful (0x0)
     Response Type: Basic OCSP Response
     Version: 1 (0x0)
     Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt
Authority X3
     Produced At: May  9 10:52:00 2017 GMT
     Responses:
     Certificate ID:
       Hash Algorithm: sha1
       Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
       Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
       Serial Number: 0474005E94C1946D6FD3EB7A486278E9F643
     Cert Status: good
     This Update: May  9 10:00:00 2017 GMT
     Next Update: May 16 10:00:00 2017 GMT

     Signature Algorithm: sha256WithRSAEncryption
          53:f9:c7:f6:49:15:29:ce:87:1b:8e:86:47:d2:a1:b2:c7:2d:
          1d:da:9c:87:9d:45:60:9c:e7:57:ec:b5:57:f1:7c:5c:88:b4:
          db:67:04:16:6f:b4:93:0b:d4:93:b6:08:a8:03:17:f3:f4:b3:
          54:1f:b5:d0:f4:ca:29:6f:ca:02:68:3a:ec:19:4b:f5:5f:51:
          53:43:b1:44:95:f4:e9:51:d4:43:54:89:0b:30:fa:17:30:0d:
          31:33:c3:3d:91:36:9c:b3:7a:df:6e:07:cb:5d:b9:15:65:37:
          01:0a:2e:0d:96:4c:9e:83:36:7b:34:a7:3d:f1:3d:5d:a1:c7:
          bc:fc:f1:a6:cf:1e:16:71:88:55:5d:f3:b4:8f:63:e3:90:e5:
          1f:63:46:34:be:45:7f:1a:56:27:b9:7e:ba:03:0d:95:b4:01:
          84:49:06:65:93:aa:8b:23:35:18:fe:d9:45:e5:a6:82:ee:e4:
          03:ea:b9:58:94:c6:18:1f:d9:8e:31:1a:00:4f:f1:87:eb:17:
          ca:a9:10:ed:81:c8:4a:4d:f7:44:82:ff:f1:18:f6:e7:eb:f6:
          3d:85:27:0b:27:5e:58:00:67:f7:cd:e4:25:32:ed:52:08:ec:
          8b:c3:4a:c3:40:eb:47:a2:14:07:17:5d:42:a4:d3:75:c1:45:
          a6:55:7a:23
======================================
-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----


Can anyone shed any light on whats going on here? Is it related to the
fact that Lets Encrypt OCSP responder doesn't use nonces? (meaning one
has to use the -N flag with ocspcheck(1).)

Any cluebyfour responses would be appreciated.

Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling issues with httpd(8) and ocspcheck(1)

martian
to note, I am running 6.1-stable.