Comments (4)
The OCSP support in certigo
isn't very robust.
I don't think it's the issue you mentioned, though. That was fixed years ago.
Can you share the certificate which produced the error, or how it was generated?
from certigo.
@mcpherrinm I created it with xca
(the CSR)
...it got signed and issued by colleagues (probably a M$ product)
I can give you the OCSP exchanges, please don't post the readable format here
$ openssl ocsp -reqin request.ocsp -respin response.ocsp -text
[...]
Response verify OK
*** they belong to a customer of mine, I don't want em to be indexed
$ cat request.ocsp |base64
MHkwdzBQME4wTDAJBgUrDgMCGgUABBT5Alm2ciDV6VypiG27ch5J81hbkwQUIjrbGQ/vC5blbunb
VwPshgxnwAACEyQAAEg22AgY5ZVz1fMAAAAASDaiIzAhMB8GCSsGAQUFBzABAgQSBBD74b8xz8cX
KL4Q57/l9vsE
$ cat response.ocsp |base64
MIIGcAoBAKCCBmkwggZlBgkrBgEFBQcwAQEEggZWMIIGUjCB6qIWBBQZcl4RRwAYEtpO9819CGM5
3fxsgxgPMjAxOTA5MTAxMDM1NTdaMIGZMIGWMEwwCQYFKw4DAhoFAAQU+QJZtnIg1elcqYhtu3Ie
SfNYW5MEFCI62xkP7wuW5W7p21cD7IYMZ8AAAhMkAABINtgIGOWVc9XzAAAAAEg2gAAYDzIwMTkw
OTA4MTQ1MDAyWqARGA8yMDE5MDkxNjAzMTAwMlqhIDAeMBwGCSsGAQQBgjcVBAQPFw0xOTA5MTUx
NTAwMDJaoSMwITAfBgkrBgEFBQcwAQIEEgQQ++G/Mc/HFyi+EOe/5fb7BDANBgkqhkiG9w0BAQUF
AAOCAQEAJLVOTGg0TV6IPqRamZYxyLqq6CmSmUZKgc23UQmFdmByJD2fyUMzi1xnAY7WA/VefEvr
AvutfPYZOkOOsAC4PeSk7LlKsZzrsJkG+pIdt0EwfD+gt6rEPySH97YKFdNR5SWM85yE5/uofJ2W
WwNro72wB+9SkcaE+maswWmHRvtUh6MjHhSmwRPPb/vk89GCooY/uk7dLDOZyi5CSn3hF6Re07lQ
x3vVD/S+PEr9oINhxJ8axd2stK+O4zsNmV6m1YO1kcRHjr+ieRc6oTVKEi973WYtZTfO+P5xqw3Q
J1t9RC18FGccjzzdo9PzZIpgRnuDgOvgCBVG2FO4173MI6CCBE0wggRJMIIERTCCAy2gAwIBAgIT
JAAAQQCfUJPKs1m2zgAAAABBADANBgkqhkiG9w0BAQsFADBWMRIwEAYKCZImiZPyLGQBGRYCREUx
EzARBgoJkiaJk/IsZAEZFgNBVFUxEzARBgoJkiaJk/IsZAEZFgNBRFMxFjAUBgNVBAMMDUFUVS1E
ZXZpY2UtQ0EwHhcNMTkwNTAyMDgwMzUyWhcNMTkxMDI5MDgwMzUyWjBXMRIwEAYKCZImiZPyLGQB
GRYCREUxEzARBgoJkiaJk/IsZAEZFgNBVFUxEzARBgoJkiaJk/IsZAEZFgNBRFMxFzAVBgNVBAMM
Dk9DU1AgRGV2aWNlLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA39HAWn1PzMzs
EFxiLShQ7Ua7gVffu7yY9jArJ5ZsZZZEZ34K6rMLeWmpGAG/AyAELZwg4GP0pIui/z0kqOGhbUuF
J48KskZYfAfFhjjlLFbPMZi2DInJxy2EmTBUDke9QvldK2Y+je4v3rlj1u9FCSVM4w27uiAHLukN
pIJoe93SPiABGOMPNuYd0lQaMWWK7zbC5qO1faYbdSQYr32V2+KFvB+B+aKbyKivWvkzKfshFonU
e9B3NgY4ooXMMIoJ8VuV/88F2WPsvgiqbsBJt/r13P2ahaHGQ/LOewxkiZiuOxwsW12txKsuz4bw
4Q5HOUO3IaCUl+9vqyVoZQZfnQIDAQABo4IBCTCCAQUwGwYJKwYBBAGCNxUKBA4wDDAKBggrBgEF
BQcDCTATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgkrBgEFBQcwAQUEAgUAMB0GA1UdDgQWBBQZcl4R
RwAYEtpO9819CGM53fxsgzAOBgNVHQ8BAf8EBAMCB4AwMQYDVR0RBCowKIISZW5jcnlwdGlvbjEu
YXR1LmRlghJlbmNyeXB0aW9uMi5hdHUuZGUwHwYDVR0jBBgwFoAUIjrbGQ/vC5blbunbVwPshgxn
wAAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIh8esZYeB60CRnSyF15Qlg4KEDIFJgvyHHoOR
smYCAWQCAQIwDQYJKoZIhvcNAQELBQADggEBAChEYr8HDHsX/IEirVMxPTVaWBYgLZxMilrkBTPn
vfVxFjVOtrKtu3+yWi1OJa81HyMzS8UMn4db9ZQY1w3SLaASoTdSj0NoXOOGrqRhWIwCWReR4z/d
1UBGy/0AuEwneYuLgdlFwu6VLVvUGBHZgbVD9wk3ADStaQmzdRMWu2RX17Vr9qBT9Tl4R9LSwUNe
KPDF17QT8eGZ1aa948HgPVkufhVQDwoTByFVDHulOvv0prKG5iopQk6Fh9rizUUbQ0xyTrj30jBl
fuftoQ0otAfFxDVkVzCww0lnCH6+jAZlYEL4l70ph55JN07P3xmTr5hCr+9GITe+cJGJOGodKJ8=
from certigo.
I have seen this error when a locally generated TLS certificate lacked OCSP information at all. Debugging the situation with my TLS certificate, lib/ocsp.go's fetchOCSP()
finds that issuer.OCSPServer
is empty and falls through to return nil, nil, and nil (since lastError
is still unset) to its caller, lib/ocsp.go'scheckOCSP()
. Unfortunately, checkOCSP()
doesn't notice that encoded
is nil, hands it to ocsp.ParseResponse()
, and not unreasonably gets this error back.
Based on the code that calls checkOCSP()
in lib/verify.go, it seems that the simplest solution is to make checkOCSP()
return skippedRevocationCheck
in this case. It might also work to return nil, nil, but that's somewhat different from what the code does now.
from certigo.
Should be fixed now.
from certigo.
Related Issues (20)
- Panic in certigo/lib.explainCipher HOT 5
- Panic in master when printing certificates in 'certigo connect ...' HOT 2
- Spinnaker recommends 1.2.840.10070.8.1 for RBAC
- Add support for SQL Server
- Error: unsupported encrypted-private-key algorithm HOT 3
- Build failure with current Go versions due to needing a go.sum update for github.com/fatih/color HOT 1
- Support `-h` in addition to `--help` HOT 1
- certigo connect dereferences nil when using Postgres StartTLS HOT 2
- CI/CD key leakage HOT 1
- Tests take a dependency on an internal test certificate
- No binaries for 1.15.0 HOT 1
- Unit tests fail on macOS with Go 1.18 because of 1024-bit RSA test certificate HOT 3
- Make tests robust to non-AES ciphersuites HOT 3
- OCSP unauhtorized error HOT 1
- OCSP lookups should unconditionally add "/"
- Use zlint for certificate warnings HOT 1
- undefined: time.UnixMilli and lib/ocsp.go:151:17: undefined: io.ReadAll HOT 4
- Add scoop.sh support HOT 3
- Crypto Go :we are a research group to help developers build secure applications.
- Build with CGO disabled
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certigo.