Closed Bug 589629 Opened 14 years ago Closed 10 years ago

Verisign OCSP responder says "unauthorized request" for apparently valid SSL server cert

Categories

(Web Compatibility :: Site Reports, defect)

Product:
Web Compatibility
Component:
Site Reports
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: nelson, Unassigned)

References

(
URL
)

Details

With strict OCSP enabled, go visit either of these AT&T web aite URLs:

https://cprodx.sbc.com/cola/myaccount/Controller?pf=frameworkEntry&e=feMyAccount&ReturnUrl=https%3A%2F%2Faccountmanager.att.com%2Fwps%2Fmyportal%2Fmysbc%2Fhome%3FreferralAppID%3DSBC%26fromCola%3Dtrue

https://cprodx.sbc.com/apiserver/igate_web_dlom/logOut.do?PAS=COLA,ACCTMGR

Expected result: an https web page from AT&T
Actual result: 

> Secure Connection Failed
> An error occurred during a connection to cprodx.sbc.com.
> The OCSP server has refused this request as unauthorized.
> (Error code: sec_error_ocsp_unauthorized_request)
> The page you are trying to view can not be shown because 
> the authenticity of the received data could not be verified.

The cert for cprodx.sbc.com is within its validity period.
Its cert chain's signatures all check out OK.
Oh, I tried and tried to find ways to report this to Verisign this weekend,
in hopes that they could "kick" the responder.  No joy.
Seems to work for me. No issues.
Maybe they have multiple responders serving separate geographical areas,
and they give different results.
The OCSP request sent looks like this (pretty printed):

TBS Request:
    Version: DEFAULT
    No Requestor Name.
    Request 0:
        Cert ID:
            Hash Algorithm: SHA-1
            Issuer Name Hash:
                c0:fe:02:78:fc:99:18:88:91:b3:f2:12:e9:c7:e1:b2:
                1a:b7:bf:c0
            Issuer Key Hash:
                0d:fc:1d:f0:a9:e0:f0:1c:e7:f2:b2:13:17:7e:6f:8d:
                15:7c:d4:f6
            Serial Number:
                2f:1b:3a:10:e4:d5:ec:bf:a8:56:3a:76:94:3d:de:e5
        No Single Request Extensions
    No Request Extensions
No Signature

Or, in hex:

       30 51   30 4F   30 4D   30 4B   30 49   30 09   06 05   2B 0E
       03 02   1A 05   00 04   14 C0   FE 02   78 FC   99 18   88 91
       B3 F2   12 E9   C7 E1   B2 1A   B7 BF   C0 04   14 0D   FC 1D
       F0 A9   E0 F0   1C E7   F2 B2   13 17   7E 6F   8D 15   7C D4
       F6 02   10 2F   1B 3A   10 E4   D5 EC   BF A8   56 3A   76 94
       3D DE   E5

The entire response I get is these 5 bytes (shown here in hex):

       30 03   0A 01   06
PING cprodx.sbc.com (144.160.25.45): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
^C
--- cprodx.sbc.com ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
Assignee: english-us → nobody
Status: NEW → RESOLVED
Closed: 10 years ago
Component: English US → Desktop
Resolution: --- → INVALID
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.