Browser is not making on OCSP when OCSP is requested.

RESOLVED INCOMPLETE

Status

()

Core
Security: PSM
RESOLVED INCOMPLETE
2 years ago
a year ago

People

(Reporter: Robert Relyea, Unassigned, NeedInfo)

Tracking

45 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
When OCSP flag is on, the browser is not checking the OCSP response for an enterprise certificate when using the new validator.
(Reporter)

Comment 1

2 years ago
Our test case was a client auth test case.
Might need more details to figure this one out. Can you post the certificates in question? Also, if you run with NSPR_LOG_MODULES=certverifier:5, that might give some handy information.
Flags: needinfo?(rrelyea)
(Reporter)

Comment 3

2 years ago
Passing the buck to asha. Asha is working on setting up a server that will show this problem.
Flags: needinfo?(rrelyea) → needinfo?(aakkiang)

Comment 4

a year ago
Steps to Reproduce:
1. Provision a Fedora 24 x86_64 server.

2. For Firefox testing you need a Fedora client system with firefox installed. You can use the current server system with basic desktop packages and Firefox package., and configure Firefox.
#yum groupinstall "Basic Desktop"
# rpm -q firefox
firefox-46.0.1-4.fc24.x86_64

Configure firefox with Advanced -> Certificates -> 'Query OCSP
responder servers to confirm the current validity of certificates' selected.

3. Install dogtag and 389-ds packages
yum install dogtag-pki
yum install 389-ds

4. Create a directory server instance
#/usr/sbin/setup-ds.pl
...
System User [dirsrv]: nobody
System Group [dirsrv]: nobody
...
Directory server network port [389]:
..
Directory Manager DN [cn=Directory Manager]: 
Password: 

Password (confirm):

5. Configure a CA server instance.
# pkispawn

Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]:

Tomcat:
  Instance [pki-tomcat]: 
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]:

Administrator:
  Username [caadmin]: 
  Password: 

  Verify password: 

  Import certificate (Yes/No) [N]? 
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: 
Directory Server:
  Hostname [<hostname>]:
  Use a secure LDAPS connection (Yes/No/Quit) [N]? 
  LDAP Port [389]: 
  Bind DN [cn=Directory Manager]: 
  Password: 

  Base DN [o=pki-tomcat-CA]: 

Security Domain:
  Name [<Domain> Security Domain]:<security  Domain name>

Begin installation (Yes/No/Quit)? Yes

CA server should be installed successfully and you should be able to see the installation summary.

Accessing CA services on the Firefox browser should be successful.


6. Configure a KRA server instance.
# pkispawn

Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: KRA

Tomcat:
  Instance [pki-tomcat]: pki-kra-inst
  HTTP port [8080]: 18080
  Secure HTTP port [8443]: 18443
  AJP port [8009]: 18009
  Management port [8005]: 18005

Administrator:
  Username [kraadmin]: 
  Password: 

  Verify password: 

  Import certificate (Yes/No) [Y]? No
  Export certificate to [/root/.dogtag/pki-kra-inst/kra_admin.cert]: 
Directory Server:
  Hostname [<hostname>]:
  Use a secure LDAPS connection (Yes/No/Quit) [N]? 
  LDAP Port [389]: 
  Bind DN [cn=Directory Manager]: 
  Password: 

  Base DN [o=pki-kra-inst-KRA]: 

Security Domain:
  Hostname [<hostname>]: 
  Secure HTTP port [8443]: 
  Name: <security  Domain name>
  Username [caadmin]: 
  Password: 

Begin installation (Yes/No/Quit)? Yes

KRA server installation should be successful, and install summary is displayed.

7. Import KRA agent certificate file to Firefox nss db.
Firefox Preferences -> Advanced -> View Certificates -> Your Certificates -> Import

KRA agent certificate location:  ~/.dogtag/pki-kra-inst/kra_admin_cert.p12

8. 'pkidaemon status' would show all the link.
On firefox brwser visit Ca's Secure EE URL and trust CA. Click Advanced > Add Exception -> Confirm Security Exception.
In the Retrieval tab- ->  Import CA Certificate Chain -> Import the CA certificate chain into your browser -> Submit -> Select all 3 check boxes for trust and click OK.


9. Watch on  CA's debug log for the next action.
# tail -f  /var/lib/pki/pki-tomcat/logs/ca/debug

10. Make sure KRA's agent certificate has a OCSP url. Firefox Preferences -> Advanced -> View Certificates -> Your Certificates -> Select KRA agent certificate -> View -> Details -> Extensions -> Authority Information Access

On Firefox browser visit KRA Agent page with the agent certificate.

Expected Result: OCSP request should be made to CA's OCSP server. CA's debug log (/var/lib/pki/pki-tomcat/logs/ca/debug) should show OCSP request for certificate verification.

Actual Result: No OCSP request made to CA's OCSP server.
Flags: needinfo?(aakkiang)
Component: Security → Security: PSM
Product: Firefox → Core
Hi Asha, sorry for taking so long to respond. I followed the steps in comment 4, and using wireshark it seems Firefox does make an OCSP request for the server's certificate, and the server starts to respond, but then it just hangs:

POST /ca/ocsp HTTP/1.1
Host: localhost.localdomain:8080
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 68
Content-Type: application/ocsp-request
Connection: keep-alive

0B0@0>0<0:0...+........4.$..a..u[.......9.....KS..k.,J.,.-....h%....HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/ocsp-response
Content-Length: 2435
Date: Thu, 25 Aug 2016 23:27:50 GMT

(and then the server doesn't send anything else)

In the log, I see:

[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet:service() uri = /ca/ocsp
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet: caOCSP start to service.
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: IP: 0:0:0:0:0:0:0:1
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet: no authMgrName
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet: in auditSubjectID
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet: auditSubjectID auditContext {locale=en_US,EN;Q=0.5, ipAddress=0:0:0:0:0:0:0:1}
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet auditSubjectID: subjectID: null
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet: in auditGroupID
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet: auditGroupID auditContext {locale=en_US,EN;Q=0.5, ipAddress=0:0:0:0:0:0:0:1}
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet auditGroupID: groupID: null
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: checkACLS(): ACLEntry expressions= ipaddress=".*"
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: evaluating expressions: ipaddress=".*"
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: evaluated expression: ipaddress=".*" to be true
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: DirAclAuthz: authorization passed
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS

[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: In LdapBoundConnFactory::getConn()
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: masterConn is connected: true
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: getConn: conn is connected true
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: getConn: mNumConns now 2
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: returnConn: mNumConns now 3
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: SignedAuditEventFactory: create() message created for eventType=ROLE_ASSUME

[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: Servlet Path=/ocsp
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: RequestURI=/ca/ocsp
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: PathInfo=null
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: Method=POST
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: In LdapBoundConnFactory::getConn()
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: masterConn is connected: true
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: getConn: conn is connected true
[25/Aug/2016:16:27:49][http-nio-8080-exec-4]: getConn: mNumConns now 2
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: returnConn: mNumConns now 3
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: process request 9
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: In LdapBoundConnFactory::getConn()
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: masterConn is connected: true
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: getConn: conn is connected true
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: getConn: mNumConns now 2
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: returnConn: mNumConns now 3
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: adding signature
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: Getting algorithm context for SHA256withRSA RSASignatureWithSHA256Digest
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: Signing Certificate
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: OCSP Request:
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: MEcwRaADAgEAMD4wPDA6MAkGBSsOAwIaBQAEFDS9JBHnYfeEdVsX9/GX8MfkObAO
BBTRS1MM82uiLErVLJwtsr2jj2glDwIBCQ==

[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: Serial Number: 9
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: OCSP Response Size:
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: 2435
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: OCSP Response Data:
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: MIIJfwoBAKCCCXgwggl0BgkrBgEFBQcwAQEEggllMIIJYTCBvqFYMFYxLjAsBgNV
BAoMJWxvY2FsaG9zdC5sb2NhbGRvbWFpbiBTZWN1cml0eSBEb21haW4xJDAiBgNV
BAMMG0NBIE9DU1AgU2lnbmluZyBDZXJ0aWZpY2F0ZRgPMjAxNjA4MjUyMzI3NTBa
MFEwTzA6MAkGBSsOAwIaBQAEFDS9JBHnYfeEdVsX9/GX8MfkObAOBBTRS1MM82ui
LErVLJwtsr2jj2glDwIBCYAAGA8yMDE2MDgyNTIzMjc1MFowDQYJKoZIhvcNAQEL
BQADggEBAEXu7waAJRMLZWocWG5t97dXtNzLIsgC3DAGcZX3BWXlFr1wn/nqDeNx
2HJlgdyVdF+7AmLam6cWTlSeGNou8c/qB3edPszoQbvK7pHRNRXcYjyWR7gQ5aIw
LpoJRgw0GTPYWQniH7/rBi9f+yRiLgK0Q7o89SNDpfsD45IcvIuR7g9mR1dlYrBD
1beQL8kGwP1SOwjKa9NpS8qzatKaD1pOZfNxiBoyZkKXjcE6DyIG3ReENJ8N9Lf9
sOD1Stb8FbB/6pMFpjJPRk1USyt07X3+b5wf9KH7LrsaiRK5krxU4Jr65Ew2mnb7
5xNK/JhjJE5rt8XKpaXCCNrlkaAyEtSgggeIMIIHhDCCA7MwggKboAMCAQICAQIw
DQYJKoZIhvcNAQELBQAwUTEuMCwGA1UECgwlbG9jYWxob3N0LmxvY2FsZG9tYWlu
IFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0
ZTAeFw0xNjA4MjUyMjQyMzZaFw0xODA4MTUyMjQyMzZaMFYxLjAsBgNVBAoMJWxv
Y2FsaG9zdC5sb2NhbGRvbWFpbiBTZWN1cml0eSBEb21haW4xJDAiBgNVBAMMG0NB
IE9DU1AgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAO+Rz81MmOhQA5NUWKYkvi8FG0zY0wGl7ZLggSqvX6nJxyUn7Mpl
0HLNQs/gpa25iUWL4hczTWsnA5uYfpTge6CY/XTPZ04IdKS59ndVQdRlV/ekn1+T
kfjtS1FHmdsn2JDJpwRGej9HmY1m/tC+IJLLwB7stXmdukJcEA6J3DUYeATcF5H9
PCwYgCFoMjfuNMPZgaw3j1aF6l4C8ljRlNHwvugMpmKYPzvQARVAonyLWMALSd4x
3gcwM5nhp3Po7SY9qRPdbqRD2eMhnXKcIf0sQ5GU1EpLUhb52Ri+aHx5D5vfeRx4
wsjOL50EbENmApeo7zlp3nyPxFNWL5SPTEMCAwEAAaOBkDCBjTAfBgNVHSMEGDAW
gBTRS1MM82uiLErVLJwtsr2jj2glDzAOBgNVHQ8BAf8EBAMCAcYwRQYIKwYBBQUH
AQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0LmxvY2FsZG9tYWlu
OjgwODAvY2Evb2NzcDATBgNVHSUEDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsF
AAOCAQEANxfNWXQ/Efiwlf6EcCFuHGcwWTQJPivurv8cSdd2z+qCvW3JKopnLMPS
AJGRbzbXfs/BHPzw/iO9uI7irGBk1e1XVIvj+8n4NJ2H1SLS9jhQPYZWpw+nC36H
86sBhvNKbdNsiM8DDjXAjvXFWxfjI3W3nm5iahN3n40hWhoePH5NpBHlss9DIlFr
goau1wrIVSJyTM1yokZ66mNiPXh/OKVxD++bZcD8PNPT7cjYHLTZkiqj9KjJlZa9
fx6VtKZWbG7pYTtmtaBWAZSz6f2gem9NDMNziGyVeaGxTtWY6zR1BMai5mCzc5ch
C5IbtSj/SUdCt4mW3bX79mhOnWLmeDCCA8kwggKxoAMCAQICAQEwDQYJKoZIhvcN
AQELBQAwUTEuMCwGA1UECgwlbG9jYWxob3N0LmxvY2FsZG9tYWluIFNlY3VyaXR5
IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA4
MjUyMjQyMzVaFw0zNjA4MjUyMjQyMzVaMFExLjAsBgNVBAoMJWxvY2FsaG9zdC5s
b2NhbGRvbWFpbiBTZWN1cml0eSBEb21haW4xHzAdBgNVBAMMFkNBIFNpZ25pbmcg
Q2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNGwSD
sagoNZVEhrh6ljmR7yeAglmyEqMlnuX28vKfdKaWKrocpv43CK0tx8fHJ8CykPzA
zvuPfpdIl90kontEpg4FwHLqItuhKYBH5QMvnzU4dAOh1QV0Eo+EzGgYuzMIxOS3
aH5yreZmOn48DwDFzfLnqM30TumcZ1LXqJ9kq25HqPtiP04DJVq9rJ3U5EW+0Y4n
/dQSO1x5N3d85VQVNX/azqetMZPw5wl9p2FOEn+02RoKcDKp69IRMjOWHyT1sHVo
WWSgLGi/a+VCm8QS/+O1xVdGPf2VOl4cQn15pX0Rm871HUIXCE6kj7NkOX70lbsO
393pemWPcVgiCWHrAgMBAAGjgaswgagwHwYDVR0jBBgwFoAU0UtTDPNroixK1Syc
LbK9o49oJQ8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0O
BBYEFNFLUwzza6IsStUsnC2yvaOPaCUPMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEF
BQcwAYYpaHR0cDovL2xvY2FsaG9zdC5sb2NhbGRvbWFpbjo4MDgwL2NhL29jc3Aw
DQYJKoZIhvcNAQELBQADggEBAJevIfDazKGb1ofcaQX6p6I8mJjFAp2+uyMPMKDc
VaVOE1LT451xpTAokWiDxCJXdBbgVSgp+PhOe4H0tcOQb6GHIkrGTzUvRI6pFNz7
kkXGw+MnFX4myAzdTdcUSRFt8JLANZY/hcgxed43ytPz40ZXYo79574hxTvkXkF7
DS7b1uD0ujnXY9A6GIeIIdLZoZvwsUssCPj21Ly588OTk1RN0+thPf1qSoLZbhba
2Ra3OEGrFcNyjl1wUptkjqvdH4/9yRdQb5ALO1wN/0lbtofwJmgZ9pM+bYlht5dZ
uv3nETFbGKgkLhKzSpG+4/pbBW04NfL7j2S6QxMpO/J1Cmg=

[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: Serial Number: 9 Status: com.netscape.cmsutil.ocsp.GoodInfo
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: org.apache.catalina.connector.ClientAbortException: java.io.IOException: Broken pipe
[25/Aug/2016:16:27:50][http-nio-8080-exec-4]: CMSServlet: curDate=Thu Aug 25 16:27:50 PDT 2016 id=caOCSP time=1076
Flags: needinfo?(aakkiang)
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.