1232201 - Google.com's OCSP Responser url returns 404

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[Stephan Brunner]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36

Steps to reproduce:

- Download google.com's https certificate via openssl
- Extract OCSP url
- Download chain via openssl
- Call an ocsp request via openssl using the extracted url using
  openssl ocsp -issuer google_chain.crt -cert google.crt -text -url http://clients1.google.com/ocsp


Actual results:

OpenSSL returns the following for the OCSP url embedded in google.com's ssl certificate (http://clients1.google.com/ocsp):

140458088056464:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:255:Code=404,Reason=Not Found


Expected results:

The OCSP responder should have returned a valid response as defined in the corresponding RFC.

Comment 1

[Adam Langley]

You need to send a Host header which, when using OpenSSL's tool, you should be able to do by adding "-header Host clients1.google.com".

Comment 2

[Ryan Sleevi]

Just a few notes on compliance since I had to look these up:

RFC 2560 normatively depends on HTTP 1.1 (RFC 2068). HTTP/1.1 defines the Host header as a mandatory header to send (c.f. Section 9, paragraph 1 of 2068: "The Host request-header field (section 14.23) MUST accompany all HTTP/1.1 requests.")

RFC 2560 does not normatively state either HTTP/1.0 or HTTP/1.1 MUST be used, and neither do any policies of root programs (AFAICT), so it is conforming for a server to ONLY support HTTP/1.1, as best I can tell.