Project

General

Profile

Bug #3557

OCSP fails when response doesn't contain nonce

Added by Sf W 3 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Category:
libstrongswan
Target version:
Start date:
Due date:
Estimated time:
Affected version:
5.9.0
Resolution:
Fixed

Description

In a recent version of strongswan, it introduced a feature that checks nonce in ocsp response, but if the ocsp server don't include nonce in the response, the ocsp verification will fail.
I guess that many public ocsp servers don't support such feature.

I've checked ocsp servers from letsencrypt and digicert, using openssl to manually verify the certificate, and you can see

WARNING: no nonce in response

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
          Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
          Serial Number: 0348310D5E6C7DC4B59E8A250E263ED65176
    Request Extensions:
        OCSP Nonce: 
            04109C0EF92AE2F9A12D626DB36508297203
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Sep  1 18:01:00 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 0348310D5E6C7DC4B59E8A250E263ED65176
    Cert Status: good
    This Update: Sep  1 18:00:00 2020 GMT
    Next Update: Sep  8 18:00:00 2020 GMT

    Signature Algorithm: sha256WithRSAEncryption
         38:dd:0e:8f:ff:ad:c3:26:4b:d9:c3:0c:87:bf:ed:d4:05:88:
         2c:cb:45:e0:c4:b2:95:fd:f3:6d:76:0c:14:f7:c9:0b:65:1d:
         83:a7:82:ed:90:22:d5:15:35:9d:fe:f4:6c:97:ca:2b:14:7a:
         7a:a1:6f:35:db:cb:00:53:64:16:92:82:a2:44:b4:a6:46:9f:
         1f:0e:ec:2f:9e:d5:9b:1c:30:38:2d:e8:ed:35:8b:50:5d:47:
         41:35:f5:d7:c6:26:25:14:95:23:00:d8:c5:de:fd:f1:9a:42:
         3f:84:29:98:38:88:44:5e:a0:f2:03:33:30:ed:ea:8d:4f:be:
         dd:97:12:2e:9b:e4:72:40:76:84:ac:48:93:ce:d1:e4:bc:1c:
         79:36:50:e2:ea:f6:72:04:2e:36:b2:3f:7c:92:6d:bb:d0:b4:
         15:98:a8:7f:79:b5:b0:db:e0:65:d9:04:5e:b4:87:d3:20:7a:
         a7:56:47:6e:55:ab:81:04:42:29:29:e8:af:db:23:07:aa:0d:
         d6:ae:96:22:d3:a8:32:58:4f:e7:b9:3f:e7:39:26:db:06:b3:
         56:13:19:66:f9:9a:ae:f7:6a:fd:82:93:53:48:4f:6f:9c:4d:
         05:dc:95:64:42:9b:24:d6:73:94:e5:bf:da:a2:db:1f:66:64:
         4f:aa:43:a6
WARNING: no nonce in response
Response verify OK
certificate.pem: good
    This Update: Sep  1 18:00:00 2020 GMT
    Next Update: Sep  8 18:00:00 2020 GMT

root@debian10:/dev/shm# openssl ocsp -issuer chain.pem -cert certificate.pem -text -url http://ocsp.digicert.com
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 105FA67A80089DB5279F35CE830B43889EA3C70D
          Issuer Key Hash: 0F80611C823161D52F28E78D4638B42CE1C6D9E2
          Serial Number: 04FCA72B929357F526BD1965EA38997E
    Request Extensions:
        OCSP Nonce: 
            0410B80A7BC1993692F346B9B44358C6C203
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 0F80611C823161D52F28E78D4638B42CE1C6D9E2
    Produced At: Sep  2 12:03:01 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 105FA67A80089DB5279F35CE830B43889EA3C70D
      Issuer Key Hash: 0F80611C823161D52F28E78D4638B42CE1C6D9E2
      Serial Number: 04FCA72B929357F526BD1965EA38997E
    Cert Status: good
    This Update: Sep  2 12:03:01 2020 GMT
    Next Update: Sep  9 11:18:01 2020 GMT

    Signature Algorithm: sha256WithRSAEncryption
         c0:a8:25:6a:71:4e:56:96:d7:fc:52:18:8c:62:f9:aa:7e:c0:
         94:f7:d5:b2:f3:26:c9:5b:01:d8:88:55:0a:3b:b3:85:55:95:
         29:f7:15:3a:ff:1d:75:3b:e4:76:dd:22:83:58:68:d5:f6:48:
         e0:48:a0:0d:46:79:9d:c4:cf:67:01:01:83:a1:83:9b:76:f3:
         84:50:75:19:a9:9a:a0:cf:58:51:a7:93:74:20:da:6a:41:26:
         d0:2b:68:d5:23:98:74:a2:42:65:4f:1a:4d:a6:50:af:8c:0a:
         34:51:29:58:10:d5:06:71:a9:ca:7f:44:15:8c:df:d0:4d:0d:
         40:20:6c:91:ea:35:61:74:33:37:31:b1:f2:84:fe:5d:ea:b5:
         76:41:75:cc:aa:a7:31:87:f2:f2:6d:5c:8d:16:50:9e:ea:8f:
         a4:13:68:c6:1d:d2:b7:4a:84:8a:ae:cc:a5:9a:f5:70:5d:3d:
         2f:f7:40:a5:c4:2a:e7:2d:f0:62:9b:38:51:ea:47:78:f0:3f:
         1c:4a:8d:e6:ab:63:f2:89:a1:aa:9d:15:9a:f2:b5:5b:0b:bf:
         7f:0d:3f:f5:b8:e6:22:d2:7d:01:a1:34:c9:ec:66:eb:0c:4b:
         43:d0:fe:2c:67:b8:76:64:fa:1a:db:ba:de:99:a3:1b:8b:45:
         30:cb:42:90
WARNING: no nonce in response
Response verify OK
certificate.pem: good
    This Update: Sep  2 12:03:01 2020 GMT
    Next Update: Sep  9 11:18:01 2020 GMT

And relevant log when trying to initiate ike connection

[CFG]   using certificate "CN=example.net" 
[CFG]   using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" 
[CFG] checking certificate status of "CN=example.net" 
[CFG]   requesting ocsp status from 'http://ocsp.int-x3.letsencrypt.org' ...
[CFG] nonce in ocsp response doesn't match
[CFG] ocsp check failed, fallback to crl
[CFG] certificate status is not available
[CFG]   using trusted ca certificate "O=Digital Signature Trust Co., CN=DST Root CA X3" 
[CFG] checking certificate status of "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" 
[CFG]   requesting ocsp status from 'http://isrg.trustid.ocsp.identrust.com' ...
[CFG] nonce in ocsp response doesn't match
[CFG] ocsp check failed, fallback to crl
[CFG]   fetching crl from 'http://crl.identrust.com/DSTROOTCAX3CRL.crl' ...
[CFG]   using trusted certificate "O=Digital Signature Trust Co., CN=DST Root CA X3" 
[CFG]   crl correctly signed by "O=Digital Signature Trust Co., CN=DST Root CA X3" 
[CFG]   crl is valid: until Oct 01 03:40:12 2020
[CFG] certificate status is good
[CFG] certificate policy 2.23.140.1.2.1 for 'CN=example.net' not allowed by trustchain, ignored
[CFG] certificate policy 1.3.6.1.4.1.44947.1.1.1 for 'CN=example.net' not allowed by trustchain, ignored
[CFG]   reached self-signed root ca with a path length of 1
[IKE] authentication of 'example.net' with RSA_EMSA_PKCS1_SHA2_256 successful

Associated revisions

Revision 7efe9213 (diff)
Added by Martin Willi about 1 month ago

revocation: Validate OCSP nonce only if response actually contains a nonce

Commit 27756b081c1b8 (revocation: Check that nonce in OCSP response matches)
introduced strict nonce validation to prevent replay attacks with OCSP
responses having a longer lifetime. However, many commercial CAs (such as
Digicert) do not support nonces in responses, as they reuse once-issued OCSP
responses for the OCSP lifetime. This can be problematic for replay attack
scenarios, but is nothing we can fix at our end.

With the mentioned commit, such OCSP responses get completely unusable,
requiring the fallback to CRL based revocation. CRLs don't provide any
replay protection either, so there is nothing gained security-wise, but may
require a download of several megabytes CRL data.

To make use of replay protection where available, but fix OCSP verification
where it is not, do nonce verification only if the response actually contains
a nonce. To be safe against replay attacks, one has to fix the OCSP responder
or use a different CA, but this is not something we can enforce.

Fixes #3557.

History

#1 Updated by Tobias Brunner 3 months ago

  • Tracker changed from Issue to Bug
  • Subject changed from OCSP Fails when response doesn't conatin nonce to OCSP fails when response doesn't contain nonce
  • Category set to libstrongswan
  • Status changed from New to Feedback
  • Target version set to 5.9.1

There is already a fix in the ocsp-nonce branch.

#2 Updated by Sf W 3 months ago

Thanks, didn't know about that, patched that one line code and now ocsp is working fine. Adding an option to strictly check nonce should be helpful for some users.

#3 Updated by Tobias Brunner about 1 month ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to Fixed

Also available in: Atom PDF