1. Letsencrypt/警告/OCSP
Contents
https://twitter.com/debiru_R/status/1488502300008083456?s=20&t=Y7RAxVmnqw48h8bWC1mKQQ
https://alpn20220126.lavoscore.org/?expires020102=OCSP-danger#table
alpnの件でrevokeされたはずなのに、なぜかアクセスできるjpサイト一覧(OCSPのおかげでアクセスできる)
本来はOCSPの有無関係無しにrevokeされるべきだと思われるのに、なぜかOCSPが有効なこいつらは生きてしまっています。
1.1. 表示されるサイト
../汎用jp/sea-mew.jp なぜrevokedにならないのか。 OCSPがおかしい。
../汎用jp/easygrowth.jp ../汎用jp/www.easygrowth.jp
https://admin.dev.rococo.weshow.co.jp/login?redirect=%2Fmonitor
../汎用jp/fslg2.acyclic.jp revoked
What is the relationship between the revoking list and OCSP? coeurl https://community.letsencrypt.org/t/what-is-the-relationship-between-the-revoking-list-and-ocsp/171099
jvanasco
Community leader
6h
When ISRG/LetsEncrypt revoked certificates, they did 2 things:
Mark the certificates as revoked and publish it as revoked into the CRL/OCSP infrastructures
Publish a CSV list/tool of those affected certificates
It's up to web browsers and client libraries to check if a certificate is revoked, and decide how to handle it.
Depending on the browser you use, those revoked certificates may or may not show up as revoked. In the past, some browsers (like Chrome) have still shown green padlocks on revoked certificates. That has been referred to as a "hard fail / soft fail" problem by some.
OCSP stapling also implements caching on the server and client level; IIRC, either can respect the cached value for up to 7 days from the timestamped signature.
TLDR; There are well known delays in how the global Certificate Revocation infrastructures handle and process revoked certificates. This is not unique to LetsEncrypt, but how the modern internet operates.Osiris
Community leader
6h
You can check the stapled OCSP response using the openssl s_client app using -status. It'll tell you this currently:
OCSP response:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = R3
Produced At: Jan 25 14:00:00 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
Serial Number: 04CB226A7DBD61E67E0AA166EFACDD91FA68
Cert Status: good
This Update: Jan 25 14:00:00 2022 GMT
Next Update: Feb 1 13:59:58 2022 GMT
Signature Algorithm: sha256WithRSAEncryption
(...)
======================================
Notice how the "This Update" is from before the mass revocation on January 26th.
When we query the OCSP endpoint manually, we'll see:
osiris@erazer tmp $ openssl ocsp -issuer lets-encrypt-r3.pem -cert cert.pem -text -url http://r3.o.lencr.org
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
Serial Number: 04CB226A7DBD61E67E0AA166EFACDD91FA68
Request Extensions:
OCSP Nonce:
041049551457D7EE7BBBF02F5FF842412B13
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = R3
Produced At: Jan 31 12:09:00 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
Serial Number: 04CB226A7DBD61E67E0AA166EFACDD91FA68
Cert Status: revoked
Revocation Time: Jan 29 00:09:04 2022 GMT
This Update: Jan 31 12:00:00 2022 GMT
Next Update: Feb 7 11:59:58 2022 GMT
Signature Algorithm: sha256WithRSAEncryption
(...)
WARNING: no nonce in response
Response verify OK
cert.pem: revoked
This Update: Jan 31 12:00:00 2022 GMT
Next Update: Feb 7 11:59:58 2022 GMT
Revocation Time: Jan 29 00:09:04 2022 GMT
osiris@erazer tmp $