Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Paste
P8245
ATS OCSP stapling misbehaves
Active
Public
Actions
Authored by
Vgutierrez
on Mar 20 2019, 3:25 PM.
Edit Paste
Archive Paste
View Raw File
Subscribe
Mute Notifications
Award Token
Flag For Later
Tags
None
Referenced Files
F28426028: raw.txt
Mar 20 2019, 3:25 PM
2019-03-20 15:25:19 (UTC+0)
Subscribers
None
Forcing to use the ECDSA TLS certificate by setting the cipher to ECDHE-ECDSA-AES256-GCM-SHA384 we still get the OCSP response for the RSA one:
willikins:certs vgutierrez$ echo | openssl s_client -connect localhost:3129 -servername pinkunicorn.wikimedia.org -status -cipher ECDHE-ECDSA-AES256-GCM-SHA384 2>/dev/null |openssl x509 -noout -serial
serial=03948087E0D3AD8134158060E3D0DA9FAC67
willikins:certs vgutierrez$ echo | openssl s_client -connect localhost:3129 -servername pinkunicorn.wikimedia.org -status -cipher ECDHE-ECDSA-AES256-GCM-SHA384 2>/dev/null |grep -B10 "Serial Number"
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Mar 18 15:53:00 2019 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 03D69595F1DD4CF956DFCAD95E61383B407D
Everything looks as expected for the RSA certificate:
willikins:certs vgutierrez$ echo | openssl s_client -connect localhost:3129 -servername pinkunicorn.wikimedia.org -status -cipher ECDHE-RSA-AES256-GCM-SHA384 2>/dev/null |openssl x509 -noout -serial
serial=03D69595F1DD4CF956DFCAD95E61383B407D
willikins:certs vgutierrez$ echo | openssl s_client -connect localhost:3129 -servername pinkunicorn.wikimedia.org -status -cipher ECDHE-RSA-AES256-GCM-SHA384 2>/dev/null |grep -B10 "Serial Number"
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Mar 18 15:53:00 2019 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 03D69595F1DD4CF956DFCAD95E61383B407D
Event Timeline
Vgutierrez
created this paste.
Mar 20 2019, 3:25 PM
2019-03-20 15:25:19 (UTC+0)
Log In to Comment