On Wed, Apr 16, 2025 at 4:26 PM patrick keshishian <pkesh...@gmail.com> wrote: > > On Wed, Apr 16, 2025 at 1:42 PM Martin Schröder <mar...@oneiros.de> wrote: > > > > Am Mi., 16. Apr. 2025 um 22:09 Uhr schrieb Bryce Chidester > > <br...@cobryce.com>: > > > Here's Linux/curl for example. > > > $ curl --cert-status https://www.openbsd.org > > > curl: (91) OCSP response has expired > > > > Can reproduce on 7.5: > > > > > curl --cert-status --verbose https://www.openbsd.org > > * Host www.openbsd.org:443 was resolved. > > * IPv6: 2620:3d:c000:178::80 > > * IPv4: 199.185.178.80 > > * Trying [2620:3d:c000:178::80]:443... > > * Connected to www.openbsd.org (2620:3d:c000:178::80) port 443 > > * ALPN: curl offers h2,http/1.1 > > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > > * CAfile: /etc/ssl/cert.pem > > * CApath: none > > * TLSv1.3 (IN), TLS handshake, Server hello (2): > > * TLSv1.3 (IN), TLS handshake, Unknown (8): > > * TLSv1.3 (IN), TLS handshake, Certificate (11): > > * TLSv1.3 (IN), TLS handshake, CERT verify (15): > > * TLSv1.3 (IN), TLS handshake, Finished (20): > > * TLSv1.3 (OUT), TLS handshake, Finished (20): > > * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF > > * ALPN: server did not agree on a protocol. Uses default. > > * Server certificate: > > * subject: CN=www.openbsd.org > > * start date: Apr 4 15:53:55 2025 GMT > > * expire date: Jul 3 15:53:54 2025 GMT > > * subjectAltName: host "www.openbsd.org" matched cert's "www.openbsd.org" > > * issuer: C=US; O=Let's Encrypt; CN=R11 > > * SSL certificate verify ok. > > * Certificate level 0: Public key type ? (4096/128 Bits/secBits), > > signed using sha256WithRSAEncryption > > * Certificate level 1: Public key type ? (2048/112 Bits/secBits), > > signed using sha256WithRSAEncryption > > * Certificate level 2: Public key type ? (4096/128 Bits/secBits), > > signed using sha256WithRSAEncryption > > * OCSP response has expired > > * closing connection #0 > > curl: (91) OCSP response has expired > > > > On 7.6, ftp(1) fails while curl(1) succeeds. > > $ ftp -vdo /tmp/oof https://www.openbsd.org/ > host www.openbsd.org, port https, path , save as /tmp/oof, auth none. > Trying 199.185.178.80... > TLS handshake failure: ocsp verify failed: ocsp response not current > > $ curl -o /tmp/oof https://www.openbsd.org/ > % Total % Received % Xferd Average Speed Time Time Time > Current > Dload Upload Total Spent Left Speed > 100 3495 100 3495 0 0 8254 0 --:--:-- --:--:-- --:--:-- 8281
Relevant thread from 2017 https://marc.info/?l=openbsd-misc&m=149726333820487 >From Stuart Henderson: > It's a server-side problem, same on www.openbsd.org. Not > visible in normal graphical browsers because they fallback > to the CA's OCSP server whereas ftp(1) just relies on the > stapled cert.
