Re: ocspcheck fails to load OCSP response from ocsp.sectigo.com

Sat, 11 Jan 2020 08:44:39 -0800 

On 2020/01/11 12:48, Kor son of Rynar wrote:
> Hi Stuart,
> 
> thank you for your fast reply.
> 
> On Fri, Jan 10, 2020 at 7:22 PM Stuart Henderson <[email protected]>
> wrote:
> 
> > On 2020/01/10 19:13, Kor son of Rynar wrote:
> > > On Fri, Jan 10, 2020 at 6:48 PM Kor son of Rynar <
> > [email protected]>
> > > wrote:
> > >
> > > > >Fix:
> > > >         Unknown.  Could be related to the lack of "Connection: close"
> > > > and/or "Content-Type" headers in the HTTP  request?
> > > >
> > >
> > > Adding the missing headers seems to solve the problem:
> > >
> > > --- http.c.orig Fri Jun 28 13:32:49 2019
> > > +++ http.c      Fri Jan 10 22:04:09 2020
> > > @@ -349,7 +349,10 @@
> > >                 c = asprintf(&req,
> > >                     "POST %s HTTP/1.0\r\n"
> >
> > ...this uses HTTP/1.0
> >
> > >                     "Host: %s\r\n"
> > > +                   "Accept: */*\r\n"
> > > +                   "Content-Type: application/ocsp-request\r\n"
> > >                     "Content-Length: %zu\r\n"
> > > +                   "Connection: close\r\n"
> >
> > ...but Connection: close is an HTTP/1.1 header, so this isn't entirely
> > legit.
> > Does it work without that (i.e. just add Accept/Content-Type)?
> >
> 
> It does work without the Connection: close and even without the Accept: */*
> header.  It stops working when you remove the Content-Type: header.  The
> diff is simpler, then:
> 
> --- http.c.orig Fri Jun 28 13:32:49 2019
> +++ http.c      Sat Jan 11 15:29:22 2020
> @@ -349,6 +349,7 @@
>                 c = asprintf(&req,
>                     "POST %s HTTP/1.0\r\n"
>                     "Host: %s\r\n"
> +                  "Content-Type: application/ocsp-request\r\n"
>                     "Content-Length: %zu\r\n"
>                     "\r\n",
>                     http->path, http->host, psz);

Great, this change is definitely safe (in fact this header is required
by the OCSP RFCs - both the current RFC 6960 and the original 2560).

I'll reinclude the diff so it applies with patch (spaces/tabs issue)
and CC a couple of people who may be able to review - any developer OKs
to commit?

Index: http.c
===================================================================
RCS file: /cvs/src/usr.sbin/ocspcheck/http.c,v
retrieving revision 1.12
diff -u -p -r1.12 http.c
--- http.c      28 Jun 2019 13:32:49 -0000      1.12
+++ http.c      11 Jan 2020 16:36:10 -0000
@@ -349,6 +349,7 @@ http_open(const struct http *http, const
                c = asprintf(&req,
                    "POST %s HTTP/1.0\r\n"
                    "Host: %s\r\n"
+                   "Content-Type: application/ocsp-request\r\n"
                    "Content-Length: %zu\r\n"
                    "\r\n",
                    http->path, http->host, psz);

Reply via email to