Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not OCSP staple invalid OCSP responses #90200

Merged
merged 2 commits into from
Aug 14, 2023
Merged

Do not OCSP staple invalid OCSP responses #90200

merged 2 commits into from
Aug 14, 2023

Conversation

vcsjones
Copy link
Member

@vcsjones vcsjones commented Aug 8, 2023

Linux will currently staple an invalid OCSP response for as long as the OCSP responder will return an invalid response, such as a maintenance page.

This changes the OCSP fetcher to discard the result if it could not be decoded.

Fixes #89907

@vcsjones vcsjones requested a review from bartonjs August 8, 2023 23:33
@ghost ghost assigned vcsjones Aug 8, 2023
@ghost
Copy link

ghost commented Aug 8, 2023

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Linux will currently staple an invalid OCSP response for as long as the OCSP responder will return an invalid response, such as a maintenance page.

This changes the OCSP fetcher to discard the result if it could not be decoded.

Fixes #89907

Author: vcsjones
Assignees: -
Labels:

area-System.Net.Security
Milestone: -

@vcsjones
Copy link
Member Author

vcsjones commented Aug 9, 2023

/azp run runtime-libraries-coreclr outerloop-linux

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@vcsjones
Copy link
Member Author

vcsjones commented Aug 9, 2023

Outerloop failures look unrelated to me. Create_OcspDoesNotReturnOrCacheInvalidStapleData passed.

@jeffhandley jeffhandley requested a review from wfurt August 10, 2023 17:34
wfurt
wfurt approved these changes Aug 14, 2023
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vcsjones vcsjones merged commit 3f65957 into dotnet:main Aug 14, 2023
102 of 106 checks passed
@vcsjones vcsjones deleted the ocsp-no-staple-junk branch August 14, 2023 22:00
@vcsjones
Copy link
Member Author

/backport to release/7.0-staging

@github-actions
Copy link
Contributor

Started backporting to release/7.0-staging: https://github.com/dotnet/runtime/actions/runs/5861087862

@github-actions github-actions bot mentioned this pull request Aug 14, 2023
Closed
@karelz karelz added this to the 8.0.0 milestone Aug 15, 2023
@ghost ghost locked as resolved and limited conversation to collaborators Sep 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@wfurt wfurt wfurt approved these changes

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels
area-System.Net.Security
Projects
None yet
Milestone
8.0.0
Development

Successfully merging this pull request may close these issues.

[OCSP Stapling] Cached bad response of Server-Side OCSP stabling in .NET7 Linux
4 participants
@vcsjones @bartonjs @wfurt @karelz