Quantcast

httpd(8) does not append valid OCSP tickets

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

httpd(8) does not append valid OCSP tickets

martian
 >Synopsis:      httpd(8) does not append valid OCSP tickets
              >Category:      system
                                          >Environment:
        System:  OpenBSD 6.1
        Details: OpenBSD 6.1 (GENERIC) #19: Sat Apr  1 13:42:46 MDT 2017
 
[hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
        Architecture: OpenBSD.amd64
        Machine     : amd64
 >Description:
        Attempting to use the ocsp tls option in httpd.conf(5) results
        in an invalid OCSP response. Multiple clients generate an error,
        including in base nc(1) and packages Firefox.
 >How-To-Repeat:
        First create a valid OCSP response ticket with ocspcheck(1)
        including the -N flag as in this case LetsEncrypt OCSP
        responders appear to not support nonces.

        # ocspcheck -N -o ocsp.der /foo/bar/xxxx.fullchain.pem

        Download the relevant CA bundle to verify the OCSP response
        ticket to ensure that ocspcheck(1) is generating a valid ticket

        # ftp -o ca.pem
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

        Verify OCSP ticket with ocsptool(1) from GNUtls port (may be
        possible with in base openssl(1) but I couldnt decipher the
        relevant manpage section.)

        # ocsptool -e --no-nonce --load-signer ca.pem --load-response ocsp.der
        Verifying OCSP Response: Success.

        Configure httpd(8) with an appropriate httpd.conf(5) that has
        the ocsp option enabled.

        # cat /etc/httpd.conf
        server "xxxx.com" {
          listen on * tls port 443
                tls {
                  certificate "/foo/bar/xxxx.fullchain.pem"
                  key "/foo/bar/xxxx.key"
                  ocsp "/foo/bar/ocsp.der"
          }
        }

        Start httpd(8) (may be reaching into overly explict territory
        here :-) )

        # rcctl start httpd

        Attempt to connect with nc(1):

        # nc -zvc xxxx.com 443
        Connection to xxxx.com 443 port [tcp/https] succeeded!
        nc: tls handshake failed (ocsp verify failed: no result for cert)

        Firefox gives a similar error:

        An error occurred during a connection to xxxx.com. The OCSP
        response does not include a status for the certificate being
        verified. Error code:
        MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING

        Both work fine without the tls ocsp option in httpd.conf(5)

        Could this be related to the -N flag in ocspcheck(1)? Does
        httpd(8) expect a nonce?

 >Fix:
        Unknown, no idea how to make this work properly.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: httpd(8) does not append valid OCSP tickets

martian
Should be noted that httpd(8) DOES appear to be appending an OCSP ticket
however, it seems it is not valid in some way:

# openssl s_client -connect xxxx.com:443 -tlsextdebug  -status
-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----
OCSP response:
======================================
OCSP Response Data:
     OCSP Response Status: successful (0x0)
     Response Type: Basic OCSP Response
     Version: 1 (0x0)
     Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt
Authority X3
     Produced At: May 12 10:51:00 2017 GMT
     Responses:
     Certificate ID:
       Hash Algorithm: sha1
       Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
       Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
       Serial Number: 04DBFC34BE721F3824E59ADA8489C6C00492
     Cert Status: good
     This Update: May 12 10:00:00 2017 GMT
     Next Update: May 19 10:00:00 2017 GMT

     Signature Algorithm: sha256WithRSAEncryption
          02:7c:5b:45:01:b0:e0:95:5f:0b:55:4e:09:84:45:21:7e:79:
          cd:ce:4c:3a:79:a1:aa:b9:90:ee:75:ab:9e:6d:7e:4d:8a:36:
          e1:bc:4a:0b:aa:e7:98:4c:ed:3e:1b:78:c7:64:49:92:07:3f:
          e6:1a:8e:69:8f:33:f1:48:9d:67:1e:e1:bb:d7:15:e0:81:e8:
          76:82:3f:14:c1:5d:89:e6:ec:8f:90:20:65:5b:f9:7b:95:94:
          1d:ca:15:ee:b5:a1:66:b8:7d:d7:e9:6a:60:b3:ac:fb:f1:81:
          53:9e:c9:29:25:a6:98:f0:a2:17:1e:df:d7:52:0b:67:0c:76:
          e2:11:fa:39:ab:93:fc:71:40:3a:ff:db:c4:31:b9:d5:ef:00:
          d7:5d:5b:8c:f4:ac:64:6d:3d:33:54:67:23:58:2b:2c:b0:7c:
          3a:2a:5d:ac:6e:0f:5e:98:17:11:6f:b3:e0:4a:6d:72:86:7c:
          4b:7d:97:a3:de:bb:de:9a:9b:01:fe:f0:95:e0:16:cc:ca:88:
          bd:2f:f2:8f:f2:39:29:c9:81:98:d1:8c:bb:60:d5:11:fc:58:
          4a:f7:59:c2:b9:86:67:d8:23:8f:ed:65:9b:c0:c8:17:39:f5:
          24:45:c6:a0:e8:57:3b:c0:35:91:94:8a:a3:5b:c8:04:66:61:
          52:6b:17:5f
======================================
-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: httpd(8) does not append valid OCSP tickets

martian
Hmm, it appears now that i have renewed my tickets (my previous tickets
were still valid when I was doing the testing initially), the problem
has went away, and I am now unable to reproduce...

Loading...