On 2017/01/27 13:10, Michael W. Lucas wrote: > Hi, > > Not sure if this is an expected part of OCSP or a bug. > > I've configured two TLS sites on one host, one with OCSP stapling > (www3.mwlucas.org) and one without (www4.mwlucas.org). The OCSP site > works fine, but the non-OCSP site generates an err. > > It *appears* that queries to the non-OCSP site return the OCSP site's > OCSP cert. > > Following please find openssl queries on both. Feel free to check the > sites yourself, I'm FAR from a TLS guru.
That looks like a web server bug, it shouldn't return a staple in that case. What software are you using for that? > # openssl s_client -connect www4.mwlucas.org:443 -status -servername > www4.mwlucas.org > ... > verify return:1 > OCSP response: > ====================================== > OCSP Response Data: > OCSP Response Status: successful (0x0) > Response Type: Basic OCSP Response > Version: 1 (0x0) > Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > Produced At: Jan 26 23:02:00 2017 GMT > Responses: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D > Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 > Serial Number: 032CBDA721856F117CC7D57A72BBFA77B578 > Cert Status: good > This Update: Jan 26 23:00:00 2017 GMT > Next Update: Feb 2 23:00:00 2017 GMT > > Signature Algorithm: sha256WithRSAEncryption > 6a:1e:f1:44:8c:a9:a6:7e:40:25:3a:f7:50:e9:43:42:0f:74: > 9b:dc:ee:56:a3:47:0b:ce:73:88:ee:f0:84:fc:b0:25:5b:3d: > 67:d0:66:20:c7:60:7c:ee:26:91:72:4e:d0:f2:67:5a:e3:c1: > 06:57:31:47:29:1a:55:19:48:e7:e6:32:0b:18:d9:33:9d:55: > d7:36:38:f1:96:57:bc:5d:89:82:31:bb:4e:12:0c:5c:ab:1a: > f6:1d:a1:48:be:1c:1d:3b:52:a0:60:2f:1d:f9:3c:48:cd:df: > a6:5e:b5:79:0c:b9:ed:d5:61:29:53:ee:83:5f:89:af:35:27: > d6:94:05:f5:fb:d1:a8:4d:26:8d:8b:cf:e9:db:53:ad:e6:47: > a7:db:91:9e:9d:a1:b2:2c:1e:d9:98:c5:af:5c:12:d1:04:5a: > 82:be:8d:80:1f:38:c2:5d:b1:6f:99:e1:ca:53:71:1c:85:0d: > 3e:f3:14:bc:3b:c9:c0:dd:6b:ec:59:d4:54:dc:fb:9c:da:72: > 91:45:61:55:69:e9:75:51:8f:e2:82:6a:dd:ec:bc:bd:3c:2c: > 92:43:f7:d9:65:1d:60:14:91:e0:b0:2b:46:25:49:35:74:99: > 71:a3:c0:d0:91:66:29:7e:01:1b:35:f1:2e:40:dc:f3:4d:98: > 69:40:6f:46 > .... > > # openssl s_client -connect www3.mwlucas.org:443 -status -servername > www3.mwlucas.org > CONNECTED(00000003) > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > verify return:1 > depth=0 CN = www3.mwlucas.org > verify return:1 > OCSP response: > ====================================== > OCSP Response Data: > OCSP Response Status: successful (0x0) > Response Type: Basic OCSP Response > Version: 1 (0x0) > Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > Produced At: Jan 26 23:02:00 2017 GMT > Responses: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D > Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 > Serial Number: 032CBDA721856F117CC7D57A72BBFA77B578 > Cert Status: good > This Update: Jan 26 23:00:00 2017 GMT > Next Update: Feb 2 23:00:00 2017 GMT > > Signature Algorithm: sha256WithRSAEncryption > 6a:1e:f1:44:8c:a9:a6:7e:40:25:3a:f7:50:e9:43:42:0f:74: > 9b:dc:ee:56:a3:47:0b:ce:73:88:ee:f0:84:fc:b0:25:5b:3d: > 67:d0:66:20:c7:60:7c:ee:26:91:72:4e:d0:f2:67:5a:e3:c1: > 06:57:31:47:29:1a:55:19:48:e7:e6:32:0b:18:d9:33:9d:55: > d7:36:38:f1:96:57:bc:5d:89:82:31:bb:4e:12:0c:5c:ab:1a: > f6:1d:a1:48:be:1c:1d:3b:52:a0:60:2f:1d:f9:3c:48:cd:df: > a6:5e:b5:79:0c:b9:ed:d5:61:29:53:ee:83:5f:89:af:35:27: > d6:94:05:f5:fb:d1:a8:4d:26:8d:8b:cf:e9:db:53:ad:e6:47: > a7:db:91:9e:9d:a1:b2:2c:1e:d9:98:c5:af:5c:12:d1:04:5a: > 82:be:8d:80:1f:38:c2:5d:b1:6f:99:e1:ca:53:71:1c:85:0d: > 3e:f3:14:bc:3b:c9:c0:dd:6b:ec:59:d4:54:dc:fb:9c:da:72: > 91:45:61:55:69:e9:75:51:8f:e2:82:6a:dd:ec:bc:bd:3c:2c: > 92:43:f7:d9:65:1d:60:14:91:e0:b0:2b:46:25:49:35:74:99: > 71:a3:c0:d0:91:66:29:7e:01:1b:35:f1:2e:40:dc:f3:4d:98: > 69:40:6f:46 > ====================================== > ... > > ==ml > > > -- > Michael W. Lucas Twitter @mwlauthor > nonfiction: https://www.michaelwlucas.com/ > fiction: https://www.michaelwarrenlucas.com/ > blog: http://blather.michaelwlucas.com/ >