ocspcheck fails to load OCSP response from ocsp.sectigo.com

Fri, 10 Jan 2020 13:49:37 -0800 

>Synopsis:      ocspcheck fails to load OCSP response from ocsp.sectigo.com
>Category:      system amd64
>Environment:
        System      : OpenBSD 6.6
        Details     : OpenBSD 6.6-current (GENERIC) #574: Fri Jan 10
10:38:49 MST 2020
                         [email protected]:
/usr/src/sys/arch/amd64/compile/GENERIC

        Architecture: OpenBSD.amd64
        Machine     : amd64
>Description:

   ocspcheck won't work with ocsp.sectigo.com, with the following error:

# ocspcheck -vvv server.crt
Built an 120 byte ocsp request
Using http to host ocsp.sectigo.com, port 80, path /
DNS returns 151.139.128.14 for ocsp.sectigo.com
Server at ocsp.sectigo.com returns:
          [Body]=[5 bytes]
ocspcheck: Failed to load OCSP response from ocsp.sectigo.com

--
 network traffic shows:

T 2020/01/10 21:02:14.665917 100.64.0.54:39712 -> 151.139.128.14:80 [AP]
  POST / HTTP/1.0..Host: ocsp.sectigo.com..Content-Length: 120....


T 2020/01/10 21:02:14.667607 100.64.0.54:39712 -> 151.139.128.14:80 [AP]

0v0t0M0K0I0...+........C...O.z.l..$..~2MG3.....^.T...w.........a...=....(..
  '...JE!..#0!0...+.....0.......'...p.....Zk...


T 2020/01/10 21:02:14.929704 151.139.128.14:80 -> 100.64.0.54:39712 [AP]
  HTTP/1.1 200 OK..Date: Fri, 10 Jan 2020 21:02:14 GMT..Cache-Control:
no-sto
  re, no-cache, max-age=0, must-revalidate, private,  max-stale=0,
post-check
  =0, pre-check=0..Content-Type: application/ocsp-response..Server:
Apache..X
  -OCSP-Responder-ID: scdpcaocsp8..X-HW:
1578690134.cds045.sp3.h2,1578690134.
  cds029.sp3.sc,1578690134.cds029.sp3.p..Connection: close..Content-Length:
5
  ....


T 2020/01/10 21:02:14.929706 151.139.128.14:80 -> 100.64.0.54:39712 [AP]
  0....


--
ocsptool seems to work with this certificate/ocsp server:

# ocsptool --ask --load-chain server.crt
Connecting to OCSP server: ocsp.sectigo.com...
Resolving 'ocsp.sectigo.com:80'...
Connecting to '151.139.128.14:80'...
OCSP Response Information:
        Response Status: Successful
        Response Type: Basic OCSP Response
[...]

Verifying OCSP Response: Success.
--
network traffic:

T 2020/01/10 20:43:47.327215 100.64.0.54:42384 -> 151.139.128.14:80 [AP]
  POST / HTTP/1.0..Host: ocsp.sectigo.com..Accept: */*..Content-Type:
applica
  tion/ocsp-request..Content-Length: 83..Connection: close....


T 2020/01/10 20:43:47.329004 100.64.0.54:42384 -> 151.139.128.14:80 [AP]

0Q0O0M0K0I0...+........C...O.z.l..$..~2MG3.....^.T...w.........a...=....(..
  '...JE!.


T 2020/01/10 20:43:47.340383 151.139.128.14:80 -> 100.64.0.54:42384 [AP]
  HTTP/1.1 200 OK..Date: Fri, 10 Jan 2020 20:43:47 GMT..Accept-Ranges:
bytes.
  .Expires: Fri, 10 Jan 2020 21:06:35 GMT..Content-Type:
application/ocsp-res
  ponse..Last-Modified: Thu, 09 Jan 2020 01:20:43 GMT..Server:
Apache..ETag:
  038451BF517538F344586B9208AE07F7DE61B07C..Cache-Control:
max-age=174847,s-m
  axage=1800,public,no-transform,must-revalidate..X-OCSP-Responder-ID:
scdpca
  ocsp10..X-HW:
1578689027.cds046.sp3.h2,1578689027.cds054.sp3.c..Connection:
  close..Content-Length: 471....0..........0.....+.....0......0...0........^
  [...]

>How-To-Repeat:

  save a certificate from sectigo.com as server.crt and run:

  # ocspcheck -v server.crt

>Fix:
        Unknown.  Could be related to the lack of "Connection: close"
and/or "Content-Type" headers in the HTTP  request?

Reply via email to