Google.com's OCSP Responser url returns 404

RESOLVED FIXED

Status

NSS
CA Certificate Root Program
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: Stephan Brunner, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36

Steps to reproduce:

- Download google.com's https certificate via openssl
- Extract OCSP url
- Download chain via openssl
- Call an ocsp request via openssl using the extracted url using
  openssl ocsp -issuer google_chain.crt -cert google.crt -text -url http://clients1.google.com/ocsp


Actual results:

OpenSSL returns the following for the OCSP url embedded in google.com's ssl certificate (http://clients1.google.com/ocsp):

140458088056464:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:255:Code=404,Reason=Not Found


Expected results:

The OCSP responder should have returned a valid response as defined in the corresponding RFC.
(Reporter)

Updated

2 years ago
OS: Unspecified → All
Hardware: Unspecified → All

Comment 1

2 years ago
You need to send a Host header which, when using OpenSSL's tool, you should be able to do by adding "-header Host clients1.google.com".
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED

Comment 2

2 years ago
Just a few notes on compliance since I had to look these up:

RFC 2560 normatively depends on HTTP 1.1 (RFC 2068). HTTP/1.1 defines the Host header as a mandatory header to send (c.f. Section 9, paragraph 1 of 2068: "The Host request-header field (section 14.23) MUST accompany all HTTP/1.1 requests.")

RFC 2560 does not normatively state either HTTP/1.0 or HTTP/1.1 MUST be used, and neither do any policies of root programs (AFAICT), so it is conforming for a server to ONLY support HTTP/1.1, as best I can tell.

Updated

a year ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.