Page MenuHomePhabricator
Paste P8245

ATS OCSP stapling misbehaves
ActivePublic
Actions

Authored by Vgutierrez on Mar 20 2019, 3:25 PM.
Tags
None
Referenced Files
F28426028: raw.txt
Mar 20 2019, 3:25 PM
Subscribers
None
Forcing to use the ECDSA TLS certificate by setting the cipher to ECDHE-ECDSA-AES256-GCM-SHA384 we still get the OCSP response for the RSA one:
willikins:certs vgutierrez$ echo | openssl s_client -connect localhost:3129 -servername pinkunicorn.wikimedia.org -status -cipher ECDHE-ECDSA-AES256-GCM-SHA384 2>/dev/null |openssl x509 -noout -serial
serial=03948087E0D3AD8134158060E3D0DA9FAC67
willikins:certs vgutierrez$ echo | openssl s_client -connect localhost:3129 -servername pinkunicorn.wikimedia.org -status -cipher ECDHE-ECDSA-AES256-GCM-SHA384 2>/dev/null |grep -B10 "Serial Number"
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Mar 18 15:53:00 2019 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 03D69595F1DD4CF956DFCAD95E61383B407D
Everything looks as expected for the RSA certificate:
willikins:certs vgutierrez$ echo | openssl s_client -connect localhost:3129 -servername pinkunicorn.wikimedia.org -status -cipher ECDHE-RSA-AES256-GCM-SHA384 2>/dev/null |openssl x509 -noout -serial
serial=03D69595F1DD4CF956DFCAD95E61383B407D
willikins:certs vgutierrez$ echo | openssl s_client -connect localhost:3129 -servername pinkunicorn.wikimedia.org -status -cipher ECDHE-RSA-AES256-GCM-SHA384 2>/dev/null |grep -B10 "Serial Number"
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Mar 18 15:53:00 2019 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 03D69595F1DD4CF956DFCAD95E61383B407D
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL