Bug#790854: OCSP-stapling is not working with some CAs

Thu, 02 Jul 2015 04:57:33 -0700 

Package: nginx
Version: 1.6.2-5
Severity: normal
Tags: patch upstream fixed-upstream
Control: found -1 1.6.2-5~bpo70+1
Control: fixed -1 1.9.1-1

Not sure how important OCSP-stapling is: Chrome is not using it others
(Firefox) use it mostly in "safe-fail" mode. Providing a OCSP stapling
saves Firefox (currently) from doing the OCSP query itself.

nginx encodes the query (for the OCSP GET query against CA's OCSP server)
with the URI escaped und uses lower case letters for the hex numbers that
means = become %3d instead of %3D. RFC3986 section 2.1 says "should be
uppercase" it also says "'A' through 'F' are equivalent to the lowercase
digits 'a' through 'f'". So it should not be an issue - it is however
with some CAs like WoSign.

Lucky, this has been fixed upstream (not on purpose, by accident) in
1.7.4 and I attached the patch.
It would be very nice if this could be fixed in the next point release.
If you (or the release team) decides that this is too minor to even
think about it then I guess I would have to go for bpo.

Sebastian

>From 94b238c04ae8d63ae8a7e09ea291b627bb0ad240 Mon Sep 17 00:00:00 2001
From: Piotr Sikora <pi...@cloudflare.com>
Date: Thu, 26 Jun 2014 23:39:23 -0700
Subject: [PATCH] Core: use uppercase hexadecimal digits for percent-encoding.

RFC3986 says that, for consistency, URI producers and normalizers
should use uppercase hexadecimal digits for all percent-encodings.

This is also what modern web browsers and other tools use.

Using lowercase hexadecimal digits makes it harder to interact with
those tools in case when use of the percent-encoded URI is required,
for example when $request_uri is part of the cache key.

Signed-off-by: Piotr Sikora <pi...@cloudflare.com>
---
 src/core/ngx_string.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
index 4e279176c572..9d854fa0eea6 100644
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -1407,7 +1407,7 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
 {
     ngx_uint_t      n;
     uint32_t       *escape;
-    static u_char   hex[] = "0123456789abcdef";
+    static u_char   hex[] = "0123456789ABCDEF";
 
                     /* " ", "#", "%", "?", %00-%1F, %7F-%FF */
 
-- 
2.1.4

Reply via email to