Giter VIP home page Giter VIP logo

Comments (4)

mcpherrinm avatar mcpherrinm commented on May 25, 2024

The OCSP support in certigo isn't very robust.

I don't think it's the issue you mentioned, though. That was fixed years ago.

Can you share the certificate which produced the error, or how it was generated?

from certigo.

zeph avatar zeph commented on May 25, 2024

@mcpherrinm I created it with xca (the CSR)
...it got signed and issued by colleagues (probably a M$ product)

I can give you the OCSP exchanges, please don't post the readable format here

$ openssl ocsp -reqin request.ocsp -respin response.ocsp -text
[...]
Response verify OK

*** they belong to a customer of mine, I don't want em to be indexed

$ cat request.ocsp |base64 
MHkwdzBQME4wTDAJBgUrDgMCGgUABBT5Alm2ciDV6VypiG27ch5J81hbkwQUIjrbGQ/vC5blbunb
VwPshgxnwAACEyQAAEg22AgY5ZVz1fMAAAAASDaiIzAhMB8GCSsGAQUFBzABAgQSBBD74b8xz8cX
KL4Q57/l9vsE

$ cat response.ocsp |base64 
MIIGcAoBAKCCBmkwggZlBgkrBgEFBQcwAQEEggZWMIIGUjCB6qIWBBQZcl4RRwAYEtpO9819CGM5
3fxsgxgPMjAxOTA5MTAxMDM1NTdaMIGZMIGWMEwwCQYFKw4DAhoFAAQU+QJZtnIg1elcqYhtu3Ie
SfNYW5MEFCI62xkP7wuW5W7p21cD7IYMZ8AAAhMkAABINtgIGOWVc9XzAAAAAEg2gAAYDzIwMTkw
OTA4MTQ1MDAyWqARGA8yMDE5MDkxNjAzMTAwMlqhIDAeMBwGCSsGAQQBgjcVBAQPFw0xOTA5MTUx
NTAwMDJaoSMwITAfBgkrBgEFBQcwAQIEEgQQ++G/Mc/HFyi+EOe/5fb7BDANBgkqhkiG9w0BAQUF
AAOCAQEAJLVOTGg0TV6IPqRamZYxyLqq6CmSmUZKgc23UQmFdmByJD2fyUMzi1xnAY7WA/VefEvr
AvutfPYZOkOOsAC4PeSk7LlKsZzrsJkG+pIdt0EwfD+gt6rEPySH97YKFdNR5SWM85yE5/uofJ2W
WwNro72wB+9SkcaE+maswWmHRvtUh6MjHhSmwRPPb/vk89GCooY/uk7dLDOZyi5CSn3hF6Re07lQ
x3vVD/S+PEr9oINhxJ8axd2stK+O4zsNmV6m1YO1kcRHjr+ieRc6oTVKEi973WYtZTfO+P5xqw3Q
J1t9RC18FGccjzzdo9PzZIpgRnuDgOvgCBVG2FO4173MI6CCBE0wggRJMIIERTCCAy2gAwIBAgIT
JAAAQQCfUJPKs1m2zgAAAABBADANBgkqhkiG9w0BAQsFADBWMRIwEAYKCZImiZPyLGQBGRYCREUx
EzARBgoJkiaJk/IsZAEZFgNBVFUxEzARBgoJkiaJk/IsZAEZFgNBRFMxFjAUBgNVBAMMDUFUVS1E
ZXZpY2UtQ0EwHhcNMTkwNTAyMDgwMzUyWhcNMTkxMDI5MDgwMzUyWjBXMRIwEAYKCZImiZPyLGQB
GRYCREUxEzARBgoJkiaJk/IsZAEZFgNBVFUxEzARBgoJkiaJk/IsZAEZFgNBRFMxFzAVBgNVBAMM
Dk9DU1AgRGV2aWNlLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA39HAWn1PzMzs
EFxiLShQ7Ua7gVffu7yY9jArJ5ZsZZZEZ34K6rMLeWmpGAG/AyAELZwg4GP0pIui/z0kqOGhbUuF
J48KskZYfAfFhjjlLFbPMZi2DInJxy2EmTBUDke9QvldK2Y+je4v3rlj1u9FCSVM4w27uiAHLukN
pIJoe93SPiABGOMPNuYd0lQaMWWK7zbC5qO1faYbdSQYr32V2+KFvB+B+aKbyKivWvkzKfshFonU
e9B3NgY4ooXMMIoJ8VuV/88F2WPsvgiqbsBJt/r13P2ahaHGQ/LOewxkiZiuOxwsW12txKsuz4bw
4Q5HOUO3IaCUl+9vqyVoZQZfnQIDAQABo4IBCTCCAQUwGwYJKwYBBAGCNxUKBA4wDDAKBggrBgEF
BQcDCTATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgkrBgEFBQcwAQUEAgUAMB0GA1UdDgQWBBQZcl4R
RwAYEtpO9819CGM53fxsgzAOBgNVHQ8BAf8EBAMCB4AwMQYDVR0RBCowKIISZW5jcnlwdGlvbjEu
YXR1LmRlghJlbmNyeXB0aW9uMi5hdHUuZGUwHwYDVR0jBBgwFoAUIjrbGQ/vC5blbunbVwPshgxn
wAAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIh8esZYeB60CRnSyF15Qlg4KEDIFJgvyHHoOR
smYCAWQCAQIwDQYJKoZIhvcNAQELBQADggEBAChEYr8HDHsX/IEirVMxPTVaWBYgLZxMilrkBTPn
vfVxFjVOtrKtu3+yWi1OJa81HyMzS8UMn4db9ZQY1w3SLaASoTdSj0NoXOOGrqRhWIwCWReR4z/d
1UBGy/0AuEwneYuLgdlFwu6VLVvUGBHZgbVD9wk3ADStaQmzdRMWu2RX17Vr9qBT9Tl4R9LSwUNe
KPDF17QT8eGZ1aa948HgPVkufhVQDwoTByFVDHulOvv0prKG5iopQk6Fh9rizUUbQ0xyTrj30jBl
fuftoQ0otAfFxDVkVzCww0lnCH6+jAZlYEL4l70ph55JN07P3xmTr5hCr+9GITe+cJGJOGodKJ8=

from certigo.

siebenmann avatar siebenmann commented on May 25, 2024

I have seen this error when a locally generated TLS certificate lacked OCSP information at all. Debugging the situation with my TLS certificate, lib/ocsp.go's fetchOCSP() finds that issuer.OCSPServer is empty and falls through to return nil, nil, and nil (since lastError is still unset) to its caller, lib/ocsp.go'scheckOCSP(). Unfortunately, checkOCSP() doesn't notice that encoded is nil, hands it to ocsp.ParseResponse(), and not unreasonably gets this error back.

Based on the code that calls checkOCSP() in lib/verify.go, it seems that the simplest solution is to make checkOCSP() return skippedRevocationCheck in this case. It might also work to return nil, nil, but that's somewhat different from what the code does now.

from certigo.

jdtw avatar jdtw commented on May 25, 2024

Should be fixed now.

from certigo.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.