Hi Rob, I'm sending POSTs rather than GETs, so this shouldn't be an issue.
The code for OCSP Watch isn't publicly available, but I'll look into pulling out the core bits into a library that can be open sourced. Note that crt.sh is also getting a "malformed" response for at least some of these certs, e.g. https://crt.sh/?id=6393049625&opt=ocsp Regards, Andrew On Tue, 22 Mar 2022 20:28:22 +0000 Rob Stradling <[email protected]> wrote: > Hi Andrew. Thanks for creating this! One initial comment... > > I've started looking at the Sectigo OCSP responses that you've > flagged, along with the corresponding OCSP requests that you sent. > There seems to be a pattern for the requests that led to "malformed" > responses: the base64 encodings of those requests (the ones I've > looked at anyway) all seem to contain one or more occurrences of two > consecutive forward-slashes. I can only reproduce a "malformed" > response if I don't URL-encode those occurrences of "//" in an OCSP > GET request. > > Quoting Corey from > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/cMegyySSqhM/m/G7s5tFR4BAAJ: > '/' is noticeably absent from the pchar production rule (which makes > sense, as it's used as the path segment delimiter), so it must be > percent-encoded." > > So I believe that "malformed" is actually the correct response here. > See also https://crt.sh/ocsp-responders, which amongst other things > does a test for "GET request containing multiple forward-slashes". > > Can you confirm whether or not you're leaving "//" un-URL-encoded? > > Also, is your code for ocspwatch publicly available? > > ________________________________ > From: [email protected] > <[email protected]> on behalf of Andrew Ayer > <[email protected]> Sent: 22 March 2022 15:14 To: > [email protected] <[email protected]> > Subject: Introducing OCSP Watch to Monitor OCSP Responder Reliability > > CAUTION: This email originated from outside of the organization. Do > not click links or open attachments unless you recognize the sender > and know the content is safe. > > > Recently, we've seen several CA incidents related to the failure to > provide OCSP responses, such as not operating OCSP services for > abandoned certificate orders > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1758027&data=04%7C01%7Crob%40sectigo.com%7C6d83072607f349d06e2d08da0c16bcd6%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637835589067323313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=H%2FHYJFcAIsa5PJFlchBwuwqXYVWmHEQI7ZwoBjDj%2Fow%3D&reserved=0>, > or publishing OCSP responses with lengthy delays > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1758372&data=04%7C01%7Crob%40sectigo.com%7C6d83072607f349d06e2d08da0c16bcd6%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637835589067323313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OHNa5DARA0H1pkW9aI%2FHxFBR7Rsf0riBxhjSaFwcX2E%3D&reserved=0>. > > To smoke out these issues, I've created OCSP Watch, which continuously > audits a sample of unexpired certificates found in Certificate > Transparency logs to make sure CAs are correctly operating OCSP > services. OCSP Watch has identified over 1,000 certificates issued by > 20 distinct CAs for which the CA is not providing a valid OCSP > response. > > The list of certificates can be found here: > > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsslmate.com%2Flabs%2Focsp_watch%2F&data=04%7C01%7Crob%40sectigo.com%7C6d83072607f349d06e2d08da0c16bcd6%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637835589067323313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ARSrjZ8C6WPePPmGM757SZzi9VS0xLCuNn6fFtdz2l8%3D&reserved=0 > > OCSP responses are considered valid if the responder returns a > response within 10 seconds that can be successfully parsed by Go's > golang.org/x/crypto/ocsp package, and has a status of Good or Revoked. > > CAs should examine the above list and file an Incident Report if > necessary. > > Regards, > Andrew > > -- > You received this message because you are subscribed to the Google > Groups "[email protected]" group. To unsubscribe from > this group and stop receiving emails from it, send an email to > [email protected]. To view this discussion > on the web visit > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2F20220322111454.dd41936a93e1b576818510d9%2540andrewayer.name&data=04%7C01%7Crob%40sectigo.com%7C6d83072607f349d06e2d08da0c16bcd6%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637835589067323313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=IJyqkVyJl2e7vlp42OzzIJQ3z7QhpiFyO%2BoaPE6O4qY%3D&reserved=0. > M > > -- > You received this message because you are subscribed to the Google > Groups "[email protected]" group. To unsubscribe from > this group and stop receiving emails from it, send an email to > [email protected]. To view this discussion > on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47294004773DF94FF7CE8B07AA179%40MW4PR17MB4729.namprd17.prod.outlook.com. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220322164715.692ccdf3eb4ba75e7e1bd12b%40andrewayer.name.
