User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36 Steps to reproduce: - Download google.com's https certificate via openssl - Extract OCSP url - Download chain via openssl - Call an ocsp request via openssl using the extracted url using openssl ocsp -issuer google_chain.crt -cert google.crt -text -url http://clients1.google.com/ocsp Actual results: OpenSSL returns the following for the OCSP url embedded in google.com's ssl certificate (http://clients1.google.com/ocsp): 140458088056464:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:255:Code=404,Reason=Not Found Expected results: The OCSP responder should have returned a valid response as defined in the corresponding RFC.
You need to send a Host header which, when using OpenSSL's tool, you should be able to do by adding "-header Host clients1.google.com".
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Just a few notes on compliance since I had to look these up: RFC 2560 normatively depends on HTTP 1.1 (RFC 2068). HTTP/1.1 defines the Host header as a mandatory header to send (c.f. Section 9, paragraph 1 of 2068: "The Host request-header field (section 14.23) MUST accompany all HTTP/1.1 requests.") RFC 2560 does not normatively state either HTTP/1.0 or HTTP/1.1 MUST be used, and neither do any policies of root programs (AFAICT), so it is conforming for a server to ONLY support HTTP/1.1, as best I can tell.
You need to log in before you can comment on or make changes to this bug.