On 2019.08.20 at 08:48 UTC we received a report from community member and 
Apache httpd developer, Stefan Eissing, that under certain conditions our OCSP 
caching layer would return a valid OCSP response but not the one that was 
requested. This resulted in our OCSP service acting in violation of RFC 6960.

Upon further investigation we believe that the only condition that would 
trigger the incorrect behavior was making the OCSP request via POST with the 
“Expect: 100-continue” header described in RFC 7231 section 5.1.1 set. So far 
we have no reason to believe that the problem affected any significant portion 
of OCSP requests.

We quickly determined that the problem was with our CDN, Akamai, since our OCSP 
responder origin servers were not seeing any of the requests in question. We 
reported the problem to Akamai and they have fixed the issue.

After initially confirming the report we reached out to multiple other CAs that 
we believed would also be affected. Other affected CAs should also benefit from 
the fix that Akamai made.
dev-security-policy mailing list

Reply via email to