Strange message from syspatch

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Strange message from syspatch

dmitry.sensei
Strange message from syspatch:
# syspatch
ftp: SSL write error: no OCSP URLs in peer certificate
#

what does this message mean and what to check?

OpenBSD 6.2-stable GENERIC.MP#2 amd64

we have a fortinet in the middle. Previously, it did not interfere with the
utility, since I added its certificate
--
Dmitry Orlov
Reply | Threaded
Open this post in threaded view
|

Re: Strange message from syspatch

Stuart Henderson
On 2018-01-12, dmitry.sensei <[hidden email]> wrote:
> Strange message from syspatch:
> # syspatch
> ftp: SSL write error: no OCSP URLs in peer certificate
> #

Simplest workaround is to download the files yourself and use a local
url in /etc/installurl, e.g. file:///tmp/syspatch.

> what does this message mean and what to check?
>
> OpenBSD 6.2-stable GENERIC.MP#2 amd64
>
> we have a fortinet in the middle. Previously, it did not interfere with the
> utility, since I added its certificate

Most likely the fortinet doesn't include any OCSP URL in its MITM
certificate, but just to be sure, which mirror? (cat /etc/installurl),
and what's in the cert?

$ openssl s_client -connect $hostname:443 -servername $hostname

then copy the server cert and paste into "openssl x509 -text -noout".

CA/B Forum requires an OCSP URL in certs unless stapling is used. But I
don't see how a CA is going to know whether stapling is used so I would
expect certs from the cabal to always have this set so we're unlikely to
run into this with normal servers. So, although we're unlikely to bump
into problems with this code without MITM, I think libtls may be going
a little beyond usual requirements in needing this.

Reply | Threaded
Open this post in threaded view
|

Re: Strange message from syspatch

Bryan Harris
I once had incorrect VM time causing OCSP response like it was out of date,
and syspatch refused in a similar way. But different than your situation I
think.

V/r,
Bryan

On Fri, Jan 12, 2018 at 7:19 AM, Stuart Henderson <[hidden email]>
wrote:

> On 2018-01-12, dmitry.sensei <[hidden email]> wrote:
> > Strange message from syspatch:
> > # syspatch
> > ftp: SSL write error: no OCSP URLs in peer certificate
> > #
>
> Simplest workaround is to download the files yourself and use a local
> url in /etc/installurl, e.g. file:///tmp/syspatch.
>
> > what does this message mean and what to check?
> >
> > OpenBSD 6.2-stable GENERIC.MP#2 amd64
> >
> > we have a fortinet in the middle. Previously, it did not interfere with
> the
> > utility, since I added its certificate
>
> Most likely the fortinet doesn't include any OCSP URL in its MITM
> certificate, but just to be sure, which mirror? (cat /etc/installurl),
> and what's in the cert?
>
> $ openssl s_client -connect $hostname:443 -servername $hostname
>
> then copy the server cert and paste into "openssl x509 -text -noout".
>
> CA/B Forum requires an OCSP URL in certs unless stapling is used. But I
> don't see how a CA is going to know whether stapling is used so I would
> expect certs from the cabal to always have this set so we're unlikely to
> run into this with normal servers. So, although we're unlikely to bump
> into problems with this code without MITM, I think libtls may be going
> a little beyond usual requirements in needing this.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Strange message from syspatch

Stuart Henderson
On 2018/01/12 09:03, Bryan Harris wrote:
> I once had incorrect VM time causing OCSP response like it was out of date, and syspatch
> refused in a similar way.

Yes. That causes problems for the installer too, it's unable to fetch
the list of mirrors (and ironically the time that it uses to check whether
the clock is out so it can offer to reset it).

> But different than your situation I think.

Definitely.

Reply | Threaded
Open this post in threaded view
|

Re: Strange message from syspatch

Stuart Henderson
In reply to this post by Stuart Henderson
On 2018-01-12, Stuart Henderson <[hidden email]> wrote:

> On 2018-01-12, dmitry.sensei <[hidden email]> wrote:
>> Strange message from syspatch:
>> # syspatch
>> ftp: SSL write error: no OCSP URLs in peer certificate
>> #
>
> Simplest workaround is to download the files yourself and use a local
> url in /etc/installurl, e.g. file:///tmp/syspatch.
>
>> what does this message mean and what to check?
>>
>> OpenBSD 6.2-stable GENERIC.MP#2 amd64
>>
>> we have a fortinet in the middle. Previously, it did not interfere with the
>> utility, since I added its certificate
>
> Most likely the fortinet doesn't include any OCSP URL in its MITM
> certificate, but just to be sure, which mirror? (cat /etc/installurl),
> and what's in the cert?
>
> $ openssl s_client -connect $hostname:443 -servername $hostname
>
> then copy the server cert and paste into "openssl x509 -text -noout".

dmitry sent it offlist, it's a typical mitm creating a new cert based
on the original but modified. mirror is ftp.openbsd.org; compared to
the real cert the changes are:

- changed Serial Number, modulus, signature, issuer (obviously).

- following sections removed:
            X509v3 Extended Key Usage:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:
            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
            X509v3 Certificate Policies:

- changed subject(!)
-        Subject: CN=www.openbsd.org
+        Subject: CN=www.openbsd.org, L=<1543 spaces>

obviously it's the missing AIA that's causing the problem for libtls/ftp.