Project

General

Profile

Bug #3557

OCSP fails when response doesn't contain nonce

Added by Sf W 18 days ago. Updated 18 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
libstrongswan
Target version:
Start date:
Due date:
Estimated time:
Affected version:
5.9.0
Resolution:

Description

In a recent version of strongswan, it introduced a feature that checks nonce in ocsp response, but if the ocsp server don't include nonce in the response, the ocsp verification will fail.
I guess that many public ocsp servers don't support such feature.

I've checked ocsp servers from letsencrypt and digicert, using openssl to manually verify the certificate, and you can see

WARNING: no nonce in response

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
          Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
          Serial Number: 0348310D5E6C7DC4B59E8A250E263ED65176
    Request Extensions:
        OCSP Nonce: 
            04109C0EF92AE2F9A12D626DB36508297203
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Sep  1 18:01:00 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 0348310D5E6C7DC4B59E8A250E263ED65176
    Cert Status: good
    This Update: Sep  1 18:00:00 2020 GMT
    Next Update: Sep  8 18:00:00 2020 GMT

    Signature Algorithm: sha256WithRSAEncryption
         38:dd:0e:8f:ff:ad:c3:26:4b:d9:c3:0c:87:bf:ed:d4:05:88:
         2c:cb:45:e0:c4:b2:95:fd:f3:6d:76:0c:14:f7:c9:0b:65:1d:
         83:a7:82:ed:90:22:d5:15:35:9d:fe:f4:6c:97:ca:2b:14:7a:
         7a:a1:6f:35:db:cb:00:53:64:16:92:82:a2:44:b4:a6:46:9f:
         1f:0e:ec:2f:9e:d5:9b:1c:30:38:2d:e8:ed:35:8b:50:5d:47:
         41:35:f5:d7:c6:26:25:14:95:23:00:d8:c5:de:fd:f1:9a:42:
         3f:84:29:98:38:88:44:5e:a0:f2:03:33:30:ed:ea:8d:4f:be:
         dd:97:12:2e:9b:e4:72:40:76:84:ac:48:93:ce:d1:e4:bc:1c:
         79:36:50:e2:ea:f6:72:04:2e:36:b2:3f:7c:92:6d:bb:d0:b4:
         15:98:a8:7f:79:b5:b0:db:e0:65:d9:04:5e:b4:87:d3:20:7a:
         a7:56:47:6e:55:ab:81:04:42:29:29:e8:af:db:23:07:aa:0d:
         d6:ae:96:22:d3:a8:32:58:4f:e7:b9:3f:e7:39:26:db:06:b3:
         56:13:19:66:f9:9a:ae:f7:6a:fd:82:93:53:48:4f:6f:9c:4d:
         05:dc:95:64:42:9b:24:d6:73:94:e5:bf:da:a2:db:1f:66:64:
         4f:aa:43:a6
WARNING: no nonce in response
Response verify OK
certificate.pem: good
    This Update: Sep  1 18:00:00 2020 GMT
    Next Update: Sep  8 18:00:00 2020 GMT

root@debian10:/dev/shm# openssl ocsp -issuer chain.pem -cert certificate.pem -text -url http://ocsp.digicert.com
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 105FA67A80089DB5279F35CE830B43889EA3C70D
          Issuer Key Hash: 0F80611C823161D52F28E78D4638B42CE1C6D9E2
          Serial Number: 04FCA72B929357F526BD1965EA38997E
    Request Extensions:
        OCSP Nonce: 
            0410B80A7BC1993692F346B9B44358C6C203
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 0F80611C823161D52F28E78D4638B42CE1C6D9E2
    Produced At: Sep  2 12:03:01 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 105FA67A80089DB5279F35CE830B43889EA3C70D
      Issuer Key Hash: 0F80611C823161D52F28E78D4638B42CE1C6D9E2
      Serial Number: 04FCA72B929357F526BD1965EA38997E
    Cert Status: good
    This Update: Sep  2 12:03:01 2020 GMT
    Next Update: Sep  9 11:18:01 2020 GMT

    Signature Algorithm: sha256WithRSAEncryption
         c0:a8:25:6a:71:4e:56:96:d7:fc:52:18:8c:62:f9:aa:7e:c0:
         94:f7:d5:b2:f3:26:c9:5b:01:d8:88:55:0a:3b:b3:85:55:95:
         29:f7:15:3a:ff:1d:75:3b:e4:76:dd:22:83:58:68:d5:f6:48:
         e0:48:a0:0d:46:79:9d:c4:cf:67:01:01:83:a1:83:9b:76:f3:
         84:50:75:19:a9:9a:a0:cf:58:51:a7:93:74:20:da:6a:41:26:
         d0:2b:68:d5:23:98:74:a2:42:65:4f:1a:4d:a6:50:af:8c:0a:
         34:51:29:58:10:d5:06:71:a9:ca:7f:44:15:8c:df:d0:4d:0d:
         40:20:6c:91:ea:35:61:74:33:37:31:b1:f2:84:fe:5d:ea:b5:
         76:41:75:cc:aa:a7:31:87:f2:f2:6d:5c:8d:16:50:9e:ea:8f:
         a4:13:68:c6:1d:d2:b7:4a:84:8a:ae:cc:a5:9a:f5:70:5d:3d:
         2f:f7:40:a5:c4:2a:e7:2d:f0:62:9b:38:51:ea:47:78:f0:3f:
         1c:4a:8d:e6:ab:63:f2:89:a1:aa:9d:15:9a:f2:b5:5b:0b:bf:
         7f:0d:3f:f5:b8:e6:22:d2:7d:01:a1:34:c9:ec:66:eb:0c:4b:
         43:d0:fe:2c:67:b8:76:64:fa:1a:db:ba:de:99:a3:1b:8b:45:
         30:cb:42:90
WARNING: no nonce in response
Response verify OK
certificate.pem: good
    This Update: Sep  2 12:03:01 2020 GMT
    Next Update: Sep  9 11:18:01 2020 GMT

And relevant log when trying to initiate ike connection

[CFG]   using certificate "CN=example.net" 
[CFG]   using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" 
[CFG] checking certificate status of "CN=example.net" 
[CFG]   requesting ocsp status from 'http://ocsp.int-x3.letsencrypt.org' ...
[CFG] nonce in ocsp response doesn't match
[CFG] ocsp check failed, fallback to crl
[CFG] certificate status is not available
[CFG]   using trusted ca certificate "O=Digital Signature Trust Co., CN=DST Root CA X3" 
[CFG] checking certificate status of "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" 
[CFG]   requesting ocsp status from 'http://isrg.trustid.ocsp.identrust.com' ...
[CFG] nonce in ocsp response doesn't match
[CFG] ocsp check failed, fallback to crl
[CFG]   fetching crl from 'http://crl.identrust.com/DSTROOTCAX3CRL.crl' ...
[CFG]   using trusted certificate "O=Digital Signature Trust Co., CN=DST Root CA X3" 
[CFG]   crl correctly signed by "O=Digital Signature Trust Co., CN=DST Root CA X3" 
[CFG]   crl is valid: until Oct 01 03:40:12 2020
[CFG] certificate status is good
[CFG] certificate policy 2.23.140.1.2.1 for 'CN=example.net' not allowed by trustchain, ignored
[CFG] certificate policy 1.3.6.1.4.1.44947.1.1.1 for 'CN=example.net' not allowed by trustchain, ignored
[CFG]   reached self-signed root ca with a path length of 1
[IKE] authentication of 'example.net' with RSA_EMSA_PKCS1_SHA2_256 successful

History

#1 Updated by Tobias Brunner 18 days ago

  • Tracker changed from Issue to Bug
  • Subject changed from OCSP Fails when response doesn't conatin nonce to OCSP fails when response doesn't contain nonce
  • Category set to libstrongswan
  • Status changed from New to Feedback
  • Target version set to 5.9.1

There is already a fix in the ocsp-nonce branch.

#2 Updated by Sf W 18 days ago

Thanks, didn't know about that, patched that one line code and now ocsp is working fine. Adding an option to strictly check nonce should be helpful for some users.

Also available in: Atom PDF