error querying OCSP responder #1056
Comments
|
Hi Dirk, Thanks for the improvements that you made to the code that I submitted. I thought it was in fairly good shape, but that it could use some improvements, which is why I submitted it for the crl_ocsp branch rather than the 2.9dev branch. I didn't test as many sites as you did, but it seemed to at least pass the initial test of not reporting any incorrect results. It seemed that the code would either report the correct result (revoked or not revoked) or it wouldn't print anything at all. My testing produced mixed results. I tested the code against several sites using parallel mass testing, and then ran individual tests in debug mode for any server that didn't print a result during mass testing. It seemed that in every case, however, that the individual test resulted in a response of "not revoked." To some degree we are going to have to accept less than perfection on these tests. There is a reason that browsers have basically given up on using CRLs or OCSP to check server certificates, and that even when they did try to check CRLs or OCSP, the browsers would be configured to accept a certificate as valid if no revocation information could be obtained. It is my understanding that the sources of revocation information just weren't reliable enough to treat the inability to obtain revocation information as a hard failure. |
|
I would at least to understand the 400s which is probably the HTTP server status. The logic that it's "our problem" seems to me too far away yet. Why would a certificate issue operate a server which is broken and put this URI into the certificates.
In fact I did realize this (with a smile) and I appreciate you seem always to pay a lot of attention what you're doing 👍
I need to pass to you tomorrow the servers I tested. Two servers I remembered off the top of my head: ca.gov, sourceforge.net . As far as the currently technology is concerned, I fully agree. CRL is dead since a long time for browsers -- wasn't handy anyway. OCSP revocation checking seems still enabled in FF 60 though. For other clients, also non-browsers, I can't tell. In any case as long as this is in widespread use, it makes sense to support this feature. |
My previous commit added a host header but didn't properly format the host header (trailing slashes / path). This commit corrects that so that the 305 times HTTP 400 in #1056 should now be gone (TBC), including Google CA responders. One issue which needs to be addressed (same as in CRL revocation checks): Not trusted certificates (zhanqi.tv, taken from my Alexa scans) fail for obvious reasons.
|
Fixed the major error, see commit message. More later. |
|
I merged the crl_ocsp branch. Despite my commit message there are still a few errors (used the wrong grep pattern) checking with the OCSP. Notably some errors were expedia.com and mozilla.com, probably because of chain issues. The latter is not reproducible anymore (has a new certificate). The first is. More later. |
|
For sites such as expedia.com the only solution is to not run the test, or at least not print out any results. When sending an OCSP query, you need to provide the following information for each certificate that you are asking about: In the case of expedia.com, the server only sends its own certificate. Without any other certificates, we cannot provide the The way the code is written, it will only work if the server provided more than one certificate:
In theory, if the server didn't provide any intermediate certificates, but the server's certificate was issued by one of the CAs in etc/Apple.com, etc/Linux.pem, etc/Microsoft.pem, or etc/Mozilla.pem, we could get the certificate needed for the |
This PR fixes problems with check_revocation_crl() sometimes reporting that a certificate is revoked even when it isn't, and with check_revocation_ocsp() sometimes reporting "error querying OCSP responder" even if the OCSP responder provided a good response. The most common reason for this to happen is that OpenSSL cannot validate the server's certificate (even without status checking). PR testssl#1051 attempted to get status checking to work even in cases in which the server's certificate could not be validated. This PR instead addresses the problem by not checking status if determine_trust() was unable to validate the server's certificate. In some cases the server's certificate can be validated using some, but not all of the bundles of trusted certificates. For example, I have encountered some sites that can be validated using the Microsoft and Apple bundles, but not the Linux or Mozilla bundles. This PR introduces GOOD_CA_BUNDLE to store a bundle that could be used to successfully validate the server's certificate. If there is no such bundle, then neither check_revocation_crl() nor check_revocation_ocsp() is run. When check_revocation_crl() and check_revocation_ocsp() are called, the status checks within them closely match the validation check in determine_trust(), which helps to ensure that if the check fails it is because of the status information. As noted in testssl#1057, at least one CA provides incorrect information when the CRL is downloaded, so validation could fail for a reason other than the certificate being revoked. So, this PR adds a check of the reason that validation failed and only reports "revoked" if the validation failed for that reason. As noted in testssl#1056, it is not possible to perform an OCSP query without access to the certificate issuer's public key. So, with this PR check_revocation_ocsp() is only called if the server's provided at least one intermediate certificate (i.e., the issuer's certificate, which contains the issuer's public key).
|
Expedia is another exception for the rest see #1057 (comment). Thus closing it. |
|
Mmmmm, is it me or is it LetsEncrypt? Running the "latest" testing OpenSSL. Note: You have permission to run TLS-based tools against this site. |
|
can't tell, works for me. In general: Thx for the permission but I assume when hostnames are not redacted I have the permission to scan. Also be aware this is a public space in the internet, so others probably will do that too if they are bored and have no pet or child to play with ;-) |
|
It’s OSINT-blockable for those who abuse. |
PR #1055 brought OCSP revocation checks (merged in crl_ocsp branch), see also #254. I added a host header to the query but still the feature doesn't seem to be production ready yet :-(
The first 1169 nodes (Alexa ranking) with TLS replies on port 443 TCP:
error querying OCSP responder(305 with Code=400, 31 without any code returned).This issue is just informational.
The text was updated successfully, but these errors were encountered: