Re: openbsd.org ocsp verify failed: ocsp response not current

Wed, 16 Apr 2025 16:27:33 -0700 

On Wed, Apr 16, 2025 at 1:42 PM Martin Schröder <mar...@oneiros.de> wrote:
>
> Am Mi., 16. Apr. 2025 um 22:09 Uhr schrieb Bryce Chidester 
> <br...@cobryce.com>:
> > Here's Linux/curl for example.
> > $ curl --cert-status https://www.openbsd.org
> > curl: (91) OCSP response has expired
>
> Can reproduce on 7.5:
>
> > curl --cert-status --verbose https://www.openbsd.org
> * Host www.openbsd.org:443 was resolved.
> * IPv6: 2620:3d:c000:178::80
> * IPv4: 199.185.178.80
> *   Trying [2620:3d:c000:178::80]:443...
> * Connected to www.openbsd.org (2620:3d:c000:178::80) port 443
> * ALPN: curl offers h2,http/1.1
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> *  CAfile: /etc/ssl/cert.pem
> *  CApath: none
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.3 (IN), TLS handshake, Unknown (8):
> * TLSv1.3 (IN), TLS handshake, Certificate (11):
> * TLSv1.3 (IN), TLS handshake, CERT verify (15):
> * TLSv1.3 (IN), TLS handshake, Finished (20):
> * TLSv1.3 (OUT), TLS handshake, Finished (20):
> * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
> * ALPN: server did not agree on a protocol. Uses default.
> * Server certificate:
> *  subject: CN=www.openbsd.org
> *  start date: Apr  4 15:53:55 2025 GMT
> *  expire date: Jul  3 15:53:54 2025 GMT
> *  subjectAltName: host "www.openbsd.org" matched cert's "www.openbsd.org"
> *  issuer: C=US; O=Let's Encrypt; CN=R11
> *  SSL certificate verify ok.
> *   Certificate level 0: Public key type ? (4096/128 Bits/secBits),
> signed using sha256WithRSAEncryption
> *   Certificate level 1: Public key type ? (2048/112 Bits/secBits),
> signed using sha256WithRSAEncryption
> *   Certificate level 2: Public key type ? (4096/128 Bits/secBits),
> signed using sha256WithRSAEncryption
> * OCSP response has expired
> * closing connection #0
> curl: (91) OCSP response has expired
>

On 7.6, ftp(1) fails while curl(1) succeeds.

$ ftp -vdo /tmp/oof https://www.openbsd.org/
host www.openbsd.org, port https, path , save as /tmp/oof, auth none.
Trying 199.185.178.80...
TLS handshake failure: ocsp verify failed: ocsp response not current

$ curl -o /tmp/oof https://www.openbsd.org/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3495  100  3495    0     0   8254      0 --:--:-- --:--:-- --:--:--  8281

Reply via email to