Closed
Bug 1232201
Opened 9 years ago
Closed 9 years ago
Google.com's OCSP Responser url returns 404
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: s.brunner, Assigned: kathleen.a.wilson)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36 Steps to reproduce: - Download google.com's https certificate via openssl - Extract OCSP url - Download chain via openssl - Call an ocsp request via openssl using the extracted url using openssl ocsp -issuer google_chain.crt -cert google.crt -text -url http://clients1.google.com/ocsp Actual results: OpenSSL returns the following for the OCSP url embedded in google.com's ssl certificate (http://clients1.google.com/ocsp): 140458088056464:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:255:Code=404,Reason=Not Found Expected results: The OCSP responder should have returned a valid response as defined in the corresponding RFC.
Reporter | ||
Updated•9 years ago
|
OS: Unspecified → All
Hardware: Unspecified → All
Comment 1•9 years ago
|
||
You need to send a Host header which, when using OpenSSL's tool, you should be able to do by adding "-header Host clients1.google.com".
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment 2•9 years ago
|
||
Just a few notes on compliance since I had to look these up: RFC 2560 normatively depends on HTTP 1.1 (RFC 2068). HTTP/1.1 defines the Host header as a mandatory header to send (c.f. Section 9, paragraph 1 of 2068: "The Host request-header field (section 14.23) MUST accompany all HTTP/1.1 requests.") RFC 2560 does not normatively state either HTTP/1.0 or HTTP/1.1 MUST be used, and neither do any policies of root programs (AFAICT), so it is conforming for a server to ONLY support HTTP/1.1, as best I can tell.
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•