Hi,

Not sure if this is an expected part of OCSP or a bug.

I've configured two TLS sites on one host, one with OCSP stapling
(www3.mwlucas.org) and one without (www4.mwlucas.org). The OCSP site
works fine, but the non-OCSP site generates an err.

It *appears* that queries to the non-OCSP site return the OCSP site's
OCSP cert.

Following please find openssl queries on both. Feel free to check the
sites yourself, I'm FAR from a TLS guru.

# openssl s_client -connect www4.mwlucas.org:443 -status -servername 
www4.mwlucas.org
...
verify return:1
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Jan 26 23:02:00 2017 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 032CBDA721856F117CC7D57A72BBFA77B578
    Cert Status: good
    This Update: Jan 26 23:00:00 2017 GMT
    Next Update: Feb  2 23:00:00 2017 GMT

    Signature Algorithm: sha256WithRSAEncryption
         6a:1e:f1:44:8c:a9:a6:7e:40:25:3a:f7:50:e9:43:42:0f:74:
         9b:dc:ee:56:a3:47:0b:ce:73:88:ee:f0:84:fc:b0:25:5b:3d:
         67:d0:66:20:c7:60:7c:ee:26:91:72:4e:d0:f2:67:5a:e3:c1:
         06:57:31:47:29:1a:55:19:48:e7:e6:32:0b:18:d9:33:9d:55:
         d7:36:38:f1:96:57:bc:5d:89:82:31:bb:4e:12:0c:5c:ab:1a:
         f6:1d:a1:48:be:1c:1d:3b:52:a0:60:2f:1d:f9:3c:48:cd:df:
         a6:5e:b5:79:0c:b9:ed:d5:61:29:53:ee:83:5f:89:af:35:27:
         d6:94:05:f5:fb:d1:a8:4d:26:8d:8b:cf:e9:db:53:ad:e6:47:
         a7:db:91:9e:9d:a1:b2:2c:1e:d9:98:c5:af:5c:12:d1:04:5a:
         82:be:8d:80:1f:38:c2:5d:b1:6f:99:e1:ca:53:71:1c:85:0d:
         3e:f3:14:bc:3b:c9:c0:dd:6b:ec:59:d4:54:dc:fb:9c:da:72:
         91:45:61:55:69:e9:75:51:8f:e2:82:6a:dd:ec:bc:bd:3c:2c:
         92:43:f7:d9:65:1d:60:14:91:e0:b0:2b:46:25:49:35:74:99:
         71:a3:c0:d0:91:66:29:7e:01:1b:35:f1:2e:40:dc:f3:4d:98:
         69:40:6f:46
....

# openssl s_client -connect www3.mwlucas.org:443 -status -servername 
www3.mwlucas.org
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www3.mwlucas.org
verify return:1
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Jan 26 23:02:00 2017 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 032CBDA721856F117CC7D57A72BBFA77B578
    Cert Status: good
    This Update: Jan 26 23:00:00 2017 GMT
    Next Update: Feb  2 23:00:00 2017 GMT

    Signature Algorithm: sha256WithRSAEncryption
         6a:1e:f1:44:8c:a9:a6:7e:40:25:3a:f7:50:e9:43:42:0f:74:
         9b:dc:ee:56:a3:47:0b:ce:73:88:ee:f0:84:fc:b0:25:5b:3d:
         67:d0:66:20:c7:60:7c:ee:26:91:72:4e:d0:f2:67:5a:e3:c1:
         06:57:31:47:29:1a:55:19:48:e7:e6:32:0b:18:d9:33:9d:55:
         d7:36:38:f1:96:57:bc:5d:89:82:31:bb:4e:12:0c:5c:ab:1a:
         f6:1d:a1:48:be:1c:1d:3b:52:a0:60:2f:1d:f9:3c:48:cd:df:
         a6:5e:b5:79:0c:b9:ed:d5:61:29:53:ee:83:5f:89:af:35:27:
         d6:94:05:f5:fb:d1:a8:4d:26:8d:8b:cf:e9:db:53:ad:e6:47:
         a7:db:91:9e:9d:a1:b2:2c:1e:d9:98:c5:af:5c:12:d1:04:5a:
         82:be:8d:80:1f:38:c2:5d:b1:6f:99:e1:ca:53:71:1c:85:0d:
         3e:f3:14:bc:3b:c9:c0:dd:6b:ec:59:d4:54:dc:fb:9c:da:72:
         91:45:61:55:69:e9:75:51:8f:e2:82:6a:dd:ec:bc:bd:3c:2c:
         92:43:f7:d9:65:1d:60:14:91:e0:b0:2b:46:25:49:35:74:99:
         71:a3:c0:d0:91:66:29:7e:01:1b:35:f1:2e:40:dc:f3:4d:98:
         69:40:6f:46
======================================
...

==ml


-- 
Michael W. Lucas    Twitter @mwlauthor 
nonfiction: https://www.michaelwlucas.com/
fiction: https://www.michaelwarrenlucas.com/
blog: http://blather.michaelwlucas.com/

Reply via email to