Package: nginx Version: 1.6.2-5 Severity: normal Tags: patch upstream fixed-upstream Control: found -1 1.6.2-5~bpo70+1 Control: fixed -1 1.9.1-1
Not sure how important OCSP-stapling is: Chrome is not using it others (Firefox) use it mostly in "safe-fail" mode. Providing a OCSP stapling saves Firefox (currently) from doing the OCSP query itself. nginx encodes the query (for the OCSP GET query against CA's OCSP server) with the URI escaped und uses lower case letters for the hex numbers that means = become %3d instead of %3D. RFC3986 section 2.1 says "should be uppercase" it also says "'A' through 'F' are equivalent to the lowercase digits 'a' through 'f'". So it should not be an issue - it is however with some CAs like WoSign. Lucky, this has been fixed upstream (not on purpose, by accident) in 1.7.4 and I attached the patch. It would be very nice if this could be fixed in the next point release. If you (or the release team) decides that this is too minor to even think about it then I guess I would have to go for bpo. Sebastian
>From 94b238c04ae8d63ae8a7e09ea291b627bb0ad240 Mon Sep 17 00:00:00 2001 From: Piotr Sikora <pi...@cloudflare.com> Date: Thu, 26 Jun 2014 23:39:23 -0700 Subject: [PATCH] Core: use uppercase hexadecimal digits for percent-encoding. RFC3986 says that, for consistency, URI producers and normalizers should use uppercase hexadecimal digits for all percent-encodings. This is also what modern web browsers and other tools use. Using lowercase hexadecimal digits makes it harder to interact with those tools in case when use of the percent-encoded URI is required, for example when $request_uri is part of the cache key. Signed-off-by: Piotr Sikora <pi...@cloudflare.com> --- src/core/ngx_string.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c index 4e279176c572..9d854fa0eea6 100644 --- a/src/core/ngx_string.c +++ b/src/core/ngx_string.c @@ -1407,7 +1407,7 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type) { ngx_uint_t n; uint32_t *escape; - static u_char hex[] = "0123456789abcdef"; + static u_char hex[] = "0123456789ABCDEF"; /* " ", "#", "%", "?", %00-%1F, %7F-%FF */ -- 2.1.4