MoinQ:

1. Letsencrypt/警告/OCSP

OCSP

https://twitter.com/debiru_R/status/1488502300008083456?s=20&t=Y7RAxVmnqw48h8bWC1mKQQ

https://alpn20220126.lavoscore.org/?expires020102=OCSP-danger#table

alpnの件でrevokeされたはずなのに、なぜかアクセスできるjpサイト一覧(OCSPのおかげでアクセスできる)

本来はOCSPの有無関係無しにrevokeされるべきだと思われるのに、なぜかOCSPが有効なこいつらは生きてしまっています。

1.1. 表示されるサイト

../汎用jp/sea-mew.jp なぜrevokedにならないのか。 OCSPがおかしい。

../汎用jp/easygrowth.jp ../汎用jp/www.easygrowth.jp

../汎用jp/www.chapter-one.jp

../汎用jp/static.chapter-one.jp

https://admin.dev.rococo.weshow.co.jp/login?redirect=%2Fmonitor

../汎用jp/fslg2.acyclic.jp revoked

../汎用jp/gsat.jp


What is the relationship between the revoking list and OCSP? coeurl https://community.letsencrypt.org/t/what-is-the-relationship-between-the-revoking-list-and-ocsp/171099

jvanasco
Community leader
6h

When ISRG/LetsEncrypt revoked certificates, they did 2 things:

    Mark the certificates as revoked and publish it as revoked into the CRL/OCSP infrastructures
    Publish a CSV list/tool of those affected certificates

It's up to web browsers and client libraries to check if a certificate is revoked, and decide how to handle it.

Depending on the browser you use, those revoked certificates may or may not show up as revoked. In the past, some browsers (like Chrome) have still shown green padlocks on revoked certificates. That has been referred to as a "hard fail / soft fail" problem by some.

OCSP stapling also implements caching on the server and client level; IIRC, either can respect the cached value for up to 7 days from the timestamped signature.

TLDR; There are well known delays in how the global Certificate Revocation infrastructures handle and process revoked certificates. This is not unique to LetsEncrypt, but how the modern internet operates.

Osiris
Community leader
6h

You can check the stapled OCSP response using the openssl s_client app using -status. It'll tell you this currently:

    OCSP response:

    OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = R3
    Produced At: Jan 25 14:00:00 2022 GMT
    Responses:
    Certificate ID:
    Hash Algorithm: sha1
    Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
    Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
    Serial Number: 04CB226A7DBD61E67E0AA166EFACDD91FA68
    Cert Status: good
    This Update: Jan 25 14:00:00 2022 GMT
    Next Update: Feb 1 13:59:58 2022 GMT

    Signature Algorithm: sha256WithRSAEncryption
         (...)

    ======================================

Notice how the "This Update" is from before the mass revocation on January 26th.

When we query the OCSP endpoint manually, we'll see:

    osiris@erazer tmp $ openssl ocsp -issuer lets-encrypt-r3.pem -cert cert.pem -text -url http://r3.o.lencr.org
    OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
    Certificate ID:
    Hash Algorithm: sha1
    Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
    Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
    Serial Number: 04CB226A7DBD61E67E0AA166EFACDD91FA68
    Request Extensions:
    OCSP Nonce:
    041049551457D7EE7BBBF02F5FF842412B13
    OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = R3
    Produced At: Jan 31 12:09:00 2022 GMT
    Responses:
    Certificate ID:
    Hash Algorithm: sha1
    Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
    Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
    Serial Number: 04CB226A7DBD61E67E0AA166EFACDD91FA68
    Cert Status: revoked
    Revocation Time: Jan 29 00:09:04 2022 GMT
    This Update: Jan 31 12:00:00 2022 GMT
    Next Update: Feb 7 11:59:58 2022 GMT

    Signature Algorithm: sha256WithRSAEncryption
         (...)

    WARNING: no nonce in response
    Response verify OK
    cert.pem: revoked
    This Update: Jan 31 12:00:00 2022 GMT
    Next Update: Feb 7 11:59:58 2022 GMT
    Revocation Time: Jan 29 00:09:04 2022 GMT
    osiris@erazer tmp $

MoinQ: Letsencrypt/警告/OCSP (last edited 2022-02-03 02:19:50 by ToshinoriMaeno)