Re: httpd incorrectly handles OCSP stapling
On Mon, Aug 14, 2017 at 08:00:11AM +0200, Andreas Bartelt wrote:
> On 08/13/17 08:50, Joel Sing wrote:
> > On Friday 11 August 2017 03:31:27 lists+b...@ggp2.com wrote:
> ...
> >
> > This should already be fixed in -current.
> >
>
> I've just tested OCSP stapling via httpd with multiple domains on current
> (all domains also resolve to the same IP address in this setup). I'm
> observing the same problem, i.e., OCSP stapling only works for the first
> domain which has been defined in httpd.conf.
I just confirmed on the latest snapshot (with the ALPN fix) that OCSP is
still broken for multiple domains. I have 2 domains test1.ggp2.com and
test2.ggp2.com. Whichever domain defines the OCSP certificate first
works fine.
eg
server "test1.ggp2.com" {
ocsp...
}
server "test2.ggp2.com" {
ocsp...
}
Then test1.ggp2.com works, and if
server "test2.ggp2.com" {
ocsp...
}
server "test1.ggp2.com" {
ocsp...
}
then test2.ggp2.com works.
The error firefox gives is:
MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, which is different
than I was seeing before. Chrome now works, and ssl labs reports
"Invalid No response provided".
httpd.conf is as follows:
ext_addr="*"
server "default" {
listen on $ext_addr port 80
block return 302 "https://test1.ggp2.com$REQUEST_URI";
}
server "test1.ggp2.com" {
listen on $ext_addr port 80
alias "test2.ggp2.com"
block return 301 "https://$SERVER_NAME$REQUEST_URI";
}
server "test1.ggp2.com" {
listen on $ext_addr tls port 443
hsts {
subdomains
preload
}
tls {
certificate "/etc/ssl/acme/test1.ggp2.com.fullchain.pem"
key "/etc/ssl/acme/private/test1.ggp2.com.key"
ocsp "/etc/ssl/acme/test1.ggp2.com.der"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
}
server "test2.ggp2.com" {
listen on $ext_addr tls port 443
hsts {
subdomains
preload
}
tls {
certificate "/etc/ssl/acme/test2.ggp2.com.fullchain.pem"
key "/etc/ssl/acme/private/test2.ggp2.com.key"
ocsp "/etc/ssl/acme/test2.ggp2.com.der"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
}
Re: httpd incorrectly handles OCSP stapling
On 08/13/17 08:50, Joel Sing wrote: On Friday 11 August 2017 03:31:27 lists+b...@ggp2.com wrote: ... This should already be fixed in -current. I've just tested OCSP stapling via httpd with multiple domains on current (all domains also resolve to the same IP address in this setup). I'm observing the same problem, i.e., OCSP stapling only works for the first domain which has been defined in httpd.conf.
Re: httpd incorrectly handles OCSP stapling
On Sun, Aug 13, 2017 at 04:50:11PM +1000, Joel Sing wrote: > This should already be fixed in -current. Thanks, Joel. I'll get some test domains up one one of my -current systems to confirm. I don't have any exposed at the moment, and combed through the CVS logs to see if anything obvious had been committed before posting the bug (although I obviously missed it).
Re: httpd incorrectly handles OCSP stapling
On Friday 11 August 2017 03:31:27 lists+b...@ggp2.com wrote:
> >Synopsis: httpd incorrectly handles OCSP stapling
> >Category: system
>
> >Environment:
> System : OpenBSD 6.1
> Details : OpenBSD 6.1 (GENERIC.MP) #19: Thu Aug 3 14:59:44 CEST
> 2017
> rob...@syspatch-61-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERI
> C.MP
>
> Architecture: OpenBSD.amd64
> Machine : amd64
>
> >Description:
> I run multiple domains on an httpd instance. When I tried to enable
> OCSP stapling for several domains, only the first defined domain would work
> properly. Regardless of whether I had defined an OCSP block or not for
> subsequent domains after the first, I'm suspecting that the OCSP response
> stapled to the first domain is used for all the others. Firefox refuses to
> connect to any but the first defined domains, and gives an OCSP error.
>
> (also apologies if this is a repost, I didn't have the alias set up
> yet, and believe the majordomo "confirm" mail went to /dev/null)
>
> >How-To-Repeat:
> Get OCSP responses:
>
> ocspcheck -N -o /etc/ssl/acme/domain1.com.der
> /etc/ssl/acme/domain1.com.fullchain.pem ocspcheck -N -o
> /etc/ssl/acme/domain2.com.der /etc/ssl/acme/domain2.com.fullchain.pem
> Define multiple server{} blocks in httpd.conf, and give each an ocsp
> defintion:
> server "domain1.com" {
> listen on $ext_addr tls port 443
>
> tls {
> certificate "/etc/ssl/acme/domain1.com.fullchain.pem"
> key "/etc/ssl/acme/private/domain1.com.key"
> ocsp "/etc/ssl/acme/domain1.com.der"
> }
> }
>
> server "domain2.com" {
> listen on $ext_addr tls port 443
>
> tls {
> certificate "/etc/ssl/acme/domain2.com.fullchain.pem"
> key "/etc/ssl/acme/private/domain2.com.key"
> ocsp "/etc/ssl/acme/domain2.com.der"
> }
> }
>
> Try to visit domain2.com. Whether or not domain2 has the ocsp
> definition is irrelevant; Firefox fails to access the domain with an OCSP
> error. domain1.com works fine in either case.
>
> >Fix:
> Fix is unknown, but would involve OCSP stapling being handled properly
> for multiple domains. It could be SNI related.
This should already be fixed in -current.
