On 2017-06-12, jungle Boogie <[email protected]> wrote: > On 12 June 2017 at 03:28, Stuart Henderson <[email protected]> wrote: >> On 2017-06-12, jungle boogie <[email protected]> wrote: >>> Hi All, >>> >>> I'm attempting to fetch the latest bsd.rd snapshot, but it's failing >>> because of the ocsp response. >>> >>> $ ftp https://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd >>> Trying 129.128.5.191... >>> Requesting https://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd >>> ftp: SSL write error: ocsp verify failed: ocsp response not current >>> >>> Currently on >>> OpenBSD 6.1-current (GENERIC.MP) #116: Sat Jun 10 22:34:37 MDT 2017 >>> >>> Any clues as to what's happening with the ocsp response? >>> >>> Thanks, >>> j.b. >>> >>> >> >> It's a server-side problem, same on www.openbsd.org. Not visible in >> normal graphical browsers because they fallback to the CA's OCSP server >> whereas ftp(1) just relies on the stapled cert. >> > > Ah, that explains why I didn't see it within firefox. > >> Simplest workaround is to use a mirror, but it does mean that the >> installer won't be showing the list of mirrors at the moment (or >> feeding into initial RNG entropy) even if your clock is correct, >> so you'll also need to type the mirror's hostname by hand in the >> installer. >> > > FreeBSD's fetch wasn't affected for some reason or another so I was > able to fetch bsd.rd and scp it to my OpenBSD machine.
That one doesn't check ocsp (and neither does wget). curl can optionally check it but only if you use --cert-status. ftp(1) checks it unless you set -S noverifytime. > The auto upgrade either downgraded to http or didn't care about the OCSP. Ah, auto upgrade with a response-file providing the mirror's name might mean you don't notice it. Any manual upgrades/installs while the ocsp pinning was outdated would have failed to fetch the mirror list. (It has since been fixed on the server).
