Closed Bug 1263240 Opened 9 years ago Closed 9 years ago

Browser is not making on OCSP when OCSP is requested.

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
45 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: rrelyea, Unassigned, NeedInfo)

Details

When OCSP flag is on, the browser is not checking the OCSP response for an enterprise certificate when using the new validator.
Our test case was a client auth test case.
Might need more details to figure this one out. Can you post the certificates in question? Also, if you run with NSPR_LOG_MODULES=certverifier:5, that might give some handy information.
Flags: needinfo?(rrelyea)
Passing the buck to asha. Asha is working on setting up a server that will show this problem.
Flags: needinfo?(rrelyea) → needinfo?(aakkiang)
Steps to Reproduce: 1. Provision a Fedora 24 x86_64 server. 2. For Firefox testing you need a Fedora client system with firefox installed. You can use the current server system with basic desktop packages and Firefox package., and configure Firefox. #yum groupinstall "Basic Desktop" # rpm -q firefox firefox-46.0.1-4.fc24.x86_64 Configure firefox with Advanced -> Certificates -> 'Query OCSP responder servers to confirm the current validity of certificates' selected. 3. Install dogtag and 389-ds packages yum install dogtag-pki yum install 389-ds 4. Create a directory server instance #/usr/sbin/setup-ds.pl ... System User [dirsrv]: nobody System Group [dirsrv]: nobody ... Directory server network port [389]: .. Directory Manager DN [cn=Directory Manager]: Password: Password (confirm): 5. Configure a CA server instance. # pkispawn Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: Tomcat: Instance [pki-tomcat]: HTTP port [8080]: Secure HTTP port [8443]: AJP port [8009]: Management port [8005]: Administrator: Username [caadmin]: Password: Verify password: Import certificate (Yes/No) [N]? Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: Directory Server: Hostname [<hostname>]: Use a secure LDAPS connection (Yes/No/Quit) [N]? LDAP Port [389]: Bind DN [cn=Directory Manager]: Password: Base DN [o=pki-tomcat-CA]: Security Domain: Name [<Domain> Security Domain]:<security Domain name> Begin installation (Yes/No/Quit)? Yes CA server should be installed successfully and you should be able to see the installation summary. Accessing CA services on the Firefox browser should be successful. 6. Configure a KRA server instance. # pkispawn Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: KRA Tomcat: Instance [pki-tomcat]: pki-kra-inst HTTP port [8080]: 18080 Secure HTTP port [8443]: 18443 AJP port [8009]: 18009 Management port [8005]: 18005 Administrator: Username [kraadmin]: Password: Verify password: Import certificate (Yes/No) [Y]? No Export certificate to [/root/.dogtag/pki-kra-inst/kra_admin.cert]: Directory Server: Hostname [<hostname>]: Use a secure LDAPS connection (Yes/No/Quit) [N]? LDAP Port [389]: Bind DN [cn=Directory Manager]: Password: Base DN [o=pki-kra-inst-KRA]: Security Domain: Hostname [<hostname>]: Secure HTTP port [8443]: Name: <security Domain name> Username [caadmin]: Password: Begin installation (Yes/No/Quit)? Yes KRA server installation should be successful, and install summary is displayed. 7. Import KRA agent certificate file to Firefox nss db. Firefox Preferences -> Advanced -> View Certificates -> Your Certificates -> Import KRA agent certificate location: ~/.dogtag/pki-kra-inst/kra_admin_cert.p12 8. 'pkidaemon status' would show all the link. On firefox brwser visit Ca's Secure EE URL and trust CA. Click Advanced > Add Exception -> Confirm Security Exception. In the Retrieval tab- -> Import CA Certificate Chain -> Import the CA certificate chain into your browser -> Submit -> Select all 3 check boxes for trust and click OK. 9. Watch on CA's debug log for the next action. # tail -f /var/lib/pki/pki-tomcat/logs/ca/debug 10. Make sure KRA's agent certificate has a OCSP url. Firefox Preferences -> Advanced -> View Certificates -> Your Certificates -> Select KRA agent certificate -> View -> Details -> Extensions -> Authority Information Access On Firefox browser visit KRA Agent page with the agent certificate. Expected Result: OCSP request should be made to CA's OCSP server. CA's debug log (/var/lib/pki/pki-tomcat/logs/ca/debug) should show OCSP request for certificate verification. Actual Result: No OCSP request made to CA's OCSP server.
Flags: needinfo?(aakkiang)
Component: Security → Security: PSM
Product: Firefox → Core
Hi Asha, sorry for taking so long to respond. I followed the steps in comment 4, and using wireshark it seems Firefox does make an OCSP request for the server's certificate, and the server starts to respond, but then it just hangs: POST /ca/ocsp HTTP/1.1 Host: localhost.localdomain:8080 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Length: 68 Content-Type: application/ocsp-request Connection: keep-alive 0B0@0>0<0:0...+........4.$..a..u[.......9.....KS..k.,J.,.-....h%....HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/ocsp-response Content-Length: 2435 Date: Thu, 25 Aug 2016 23:27:50 GMT (and then the server doesn't send anything else) In the log, I see: [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet:service() uri = /ca/ocsp [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet: caOCSP start to service. [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: IP: 0:0:0:0:0:0:0:1 [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet: no authMgrName [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet: in auditSubjectID [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet: auditSubjectID auditContext {locale=en_US,EN;Q=0.5, ipAddress=0:0:0:0:0:0:0:1} [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet auditSubjectID: subjectID: null [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet: in auditGroupID [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet: auditGroupID auditContext {locale=en_US,EN;Q=0.5, ipAddress=0:0:0:0:0:0:0:1} [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: CMSServlet auditGroupID: groupID: null [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: checkACLS(): ACLEntry expressions= ipaddress=".*" [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: evaluating expressions: ipaddress=".*" [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: evaluated expression: ipaddress=".*" to be true [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: DirAclAuthz: authorization passed [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: In LdapBoundConnFactory::getConn() [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: masterConn is connected: true [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: getConn: conn is connected true [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: getConn: mNumConns now 2 [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: returnConn: mNumConns now 3 [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: SignedAuditEventFactory: create() message created for eventType=ROLE_ASSUME [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: Servlet Path=/ocsp [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: RequestURI=/ca/ocsp [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: PathInfo=null [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: Method=POST [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: In LdapBoundConnFactory::getConn() [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: masterConn is connected: true [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: getConn: conn is connected true [25/Aug/2016:16:27:49][http-nio-8080-exec-4]: getConn: mNumConns now 2 [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: returnConn: mNumConns now 3 [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: process request 9 [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: In LdapBoundConnFactory::getConn() [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: masterConn is connected: true [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: getConn: conn is connected true [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: getConn: mNumConns now 2 [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: returnConn: mNumConns now 3 [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: adding signature [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: Getting algorithm context for SHA256withRSA RSASignatureWithSHA256Digest [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: Signing Certificate [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: OCSP Request: [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: MEcwRaADAgEAMD4wPDA6MAkGBSsOAwIaBQAEFDS9JBHnYfeEdVsX9/GX8MfkObAO BBTRS1MM82uiLErVLJwtsr2jj2glDwIBCQ== [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: Serial Number: 9 [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: OCSP Response Size: [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: 2435 [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: OCSP Response Data: [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: MIIJfwoBAKCCCXgwggl0BgkrBgEFBQcwAQEEggllMIIJYTCBvqFYMFYxLjAsBgNV BAoMJWxvY2FsaG9zdC5sb2NhbGRvbWFpbiBTZWN1cml0eSBEb21haW4xJDAiBgNV BAMMG0NBIE9DU1AgU2lnbmluZyBDZXJ0aWZpY2F0ZRgPMjAxNjA4MjUyMzI3NTBa MFEwTzA6MAkGBSsOAwIaBQAEFDS9JBHnYfeEdVsX9/GX8MfkObAOBBTRS1MM82ui LErVLJwtsr2jj2glDwIBCYAAGA8yMDE2MDgyNTIzMjc1MFowDQYJKoZIhvcNAQEL BQADggEBAEXu7waAJRMLZWocWG5t97dXtNzLIsgC3DAGcZX3BWXlFr1wn/nqDeNx 2HJlgdyVdF+7AmLam6cWTlSeGNou8c/qB3edPszoQbvK7pHRNRXcYjyWR7gQ5aIw LpoJRgw0GTPYWQniH7/rBi9f+yRiLgK0Q7o89SNDpfsD45IcvIuR7g9mR1dlYrBD 1beQL8kGwP1SOwjKa9NpS8qzatKaD1pOZfNxiBoyZkKXjcE6DyIG3ReENJ8N9Lf9 sOD1Stb8FbB/6pMFpjJPRk1USyt07X3+b5wf9KH7LrsaiRK5krxU4Jr65Ew2mnb7 5xNK/JhjJE5rt8XKpaXCCNrlkaAyEtSgggeIMIIHhDCCA7MwggKboAMCAQICAQIw DQYJKoZIhvcNAQELBQAwUTEuMCwGA1UECgwlbG9jYWxob3N0LmxvY2FsZG9tYWlu IFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0 ZTAeFw0xNjA4MjUyMjQyMzZaFw0xODA4MTUyMjQyMzZaMFYxLjAsBgNVBAoMJWxv Y2FsaG9zdC5sb2NhbGRvbWFpbiBTZWN1cml0eSBEb21haW4xJDAiBgNVBAMMG0NB IE9DU1AgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAO+Rz81MmOhQA5NUWKYkvi8FG0zY0wGl7ZLggSqvX6nJxyUn7Mpl 0HLNQs/gpa25iUWL4hczTWsnA5uYfpTge6CY/XTPZ04IdKS59ndVQdRlV/ekn1+T kfjtS1FHmdsn2JDJpwRGej9HmY1m/tC+IJLLwB7stXmdukJcEA6J3DUYeATcF5H9 PCwYgCFoMjfuNMPZgaw3j1aF6l4C8ljRlNHwvugMpmKYPzvQARVAonyLWMALSd4x 3gcwM5nhp3Po7SY9qRPdbqRD2eMhnXKcIf0sQ5GU1EpLUhb52Ri+aHx5D5vfeRx4 wsjOL50EbENmApeo7zlp3nyPxFNWL5SPTEMCAwEAAaOBkDCBjTAfBgNVHSMEGDAW gBTRS1MM82uiLErVLJwtsr2jj2glDzAOBgNVHQ8BAf8EBAMCAcYwRQYIKwYBBQUH AQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0LmxvY2FsZG9tYWlu OjgwODAvY2Evb2NzcDATBgNVHSUEDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsF AAOCAQEANxfNWXQ/Efiwlf6EcCFuHGcwWTQJPivurv8cSdd2z+qCvW3JKopnLMPS AJGRbzbXfs/BHPzw/iO9uI7irGBk1e1XVIvj+8n4NJ2H1SLS9jhQPYZWpw+nC36H 86sBhvNKbdNsiM8DDjXAjvXFWxfjI3W3nm5iahN3n40hWhoePH5NpBHlss9DIlFr goau1wrIVSJyTM1yokZ66mNiPXh/OKVxD++bZcD8PNPT7cjYHLTZkiqj9KjJlZa9 fx6VtKZWbG7pYTtmtaBWAZSz6f2gem9NDMNziGyVeaGxTtWY6zR1BMai5mCzc5ch C5IbtSj/SUdCt4mW3bX79mhOnWLmeDCCA8kwggKxoAMCAQICAQEwDQYJKoZIhvcN AQELBQAwUTEuMCwGA1UECgwlbG9jYWxob3N0LmxvY2FsZG9tYWluIFNlY3VyaXR5 IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA4 MjUyMjQyMzVaFw0zNjA4MjUyMjQyMzVaMFExLjAsBgNVBAoMJWxvY2FsaG9zdC5s b2NhbGRvbWFpbiBTZWN1cml0eSBEb21haW4xHzAdBgNVBAMMFkNBIFNpZ25pbmcg Q2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNGwSD sagoNZVEhrh6ljmR7yeAglmyEqMlnuX28vKfdKaWKrocpv43CK0tx8fHJ8CykPzA zvuPfpdIl90kontEpg4FwHLqItuhKYBH5QMvnzU4dAOh1QV0Eo+EzGgYuzMIxOS3 aH5yreZmOn48DwDFzfLnqM30TumcZ1LXqJ9kq25HqPtiP04DJVq9rJ3U5EW+0Y4n /dQSO1x5N3d85VQVNX/azqetMZPw5wl9p2FOEn+02RoKcDKp69IRMjOWHyT1sHVo WWSgLGi/a+VCm8QS/+O1xVdGPf2VOl4cQn15pX0Rm871HUIXCE6kj7NkOX70lbsO 393pemWPcVgiCWHrAgMBAAGjgaswgagwHwYDVR0jBBgwFoAU0UtTDPNroixK1Syc LbK9o49oJQ8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0O BBYEFNFLUwzza6IsStUsnC2yvaOPaCUPMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEF BQcwAYYpaHR0cDovL2xvY2FsaG9zdC5sb2NhbGRvbWFpbjo4MDgwL2NhL29jc3Aw DQYJKoZIhvcNAQELBQADggEBAJevIfDazKGb1ofcaQX6p6I8mJjFAp2+uyMPMKDc VaVOE1LT451xpTAokWiDxCJXdBbgVSgp+PhOe4H0tcOQb6GHIkrGTzUvRI6pFNz7 kkXGw+MnFX4myAzdTdcUSRFt8JLANZY/hcgxed43ytPz40ZXYo79574hxTvkXkF7 DS7b1uD0ujnXY9A6GIeIIdLZoZvwsUssCPj21Ly588OTk1RN0+thPf1qSoLZbhba 2Ra3OEGrFcNyjl1wUptkjqvdH4/9yRdQb5ALO1wN/0lbtofwJmgZ9pM+bYlht5dZ uv3nETFbGKgkLhKzSpG+4/pbBW04NfL7j2S6QxMpO/J1Cmg= [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: Serial Number: 9 Status: com.netscape.cmsutil.ocsp.GoodInfo [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: OCSPServlet: org.apache.catalina.connector.ClientAbortException: java.io.IOException: Broken pipe [25/Aug/2016:16:27:50][http-nio-8080-exec-4]: CMSServlet: curDate=Thu Aug 25 16:27:50 PDT 2016 id=caOCSP time=1076
Flags: needinfo?(aakkiang)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.