httpd(8) does not append valid OCSP tickets

Previous Topic Next Topic
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view

httpd(8) does not append valid OCSP tickets

 >Synopsis:      httpd(8) does not append valid OCSP tickets
              >Category:      system
        System:  OpenBSD 6.1
        Details: OpenBSD 6.1 (GENERIC) #19: Sat Apr  1 13:42:46 MDT 2017
[hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
        Architecture: OpenBSD.amd64
        Machine     : amd64
        Attempting to use the ocsp tls option in httpd.conf(5) results
        in an invalid OCSP response. Multiple clients generate an error,
        including in base nc(1) and packages Firefox.
        First create a valid OCSP response ticket with ocspcheck(1)
        including the -N flag as in this case LetsEncrypt OCSP
        responders appear to not support nonces.

        # ocspcheck -N -o ocsp.der /foo/bar/xxxx.fullchain.pem

        Download the relevant CA bundle to verify the OCSP response
        ticket to ensure that ocspcheck(1) is generating a valid ticket

        # ftp -o ca.pem

        Verify OCSP ticket with ocsptool(1) from GNUtls port (may be
        possible with in base openssl(1) but I couldnt decipher the
        relevant manpage section.)

        # ocsptool -e --no-nonce --load-signer ca.pem --load-response ocsp.der
        Verifying OCSP Response: Success.

        Configure httpd(8) with an appropriate httpd.conf(5) that has
        the ocsp option enabled.

        # cat /etc/httpd.conf
        server "" {
          listen on * tls port 443
                tls {
                  certificate "/foo/bar/xxxx.fullchain.pem"
                  key "/foo/bar/xxxx.key"
                  ocsp "/foo/bar/ocsp.der"

        Start httpd(8) (may be reaching into overly explict territory
        here :-) )

        # rcctl start httpd

        Attempt to connect with nc(1):

        # nc -zvc 443
        Connection to 443 port [tcp/https] succeeded!
        nc: tls handshake failed (ocsp verify failed: no result for cert)

        Firefox gives a similar error:

        An error occurred during a connection to The OCSP
        response does not include a status for the certificate being
        verified. Error code:

        Both work fine without the tls ocsp option in httpd.conf(5)

        Could this be related to the -N flag in ocspcheck(1)? Does
        httpd(8) expect a nonce?

        Unknown, no idea how to make this work properly.

Reply | Threaded
Open this post in threaded view

Re: httpd(8) does not append valid OCSP tickets

Should be noted that httpd(8) DOES appear to be appending an OCSP ticket
however, it seems it is not valid in some way:

# openssl s_client -connect -tlsextdebug  -status
OCSP response:
OCSP Response Data:
     OCSP Response Status: successful (0x0)
     Response Type: Basic OCSP Response
     Version: 1 (0x0)
     Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt
Authority X3
     Produced At: May 12 10:51:00 2017 GMT
     Certificate ID:
       Hash Algorithm: sha1
       Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
       Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
       Serial Number: 04DBFC34BE721F3824E59ADA8489C6C00492
     Cert Status: good
     This Update: May 12 10:00:00 2017 GMT
     Next Update: May 19 10:00:00 2017 GMT

     Signature Algorithm: sha256WithRSAEncryption

Reply | Threaded
Open this post in threaded view

Re: httpd(8) does not append valid OCSP tickets

Hmm, it appears now that i have renewed my tickets (my previous tickets
were still valid when I was doing the testing initially), the problem
has went away, and I am now unable to reproduce...