Closed Bug 923887 Opened 7 years ago Closed 4 years ago

Intermittent sec_error_ocsp_old_response on https://casecurity.org; possible regression from OCSP stapling

Categories

(Core :: Security: PSM, defect)

defect
Not set

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: briansmith, Unassigned)

Details

On two occasions since we enabled OCSP stapling when visiting https://casecurity.org/, I have received the sec_error_ocsp_old_response error. Attempting to load the site again results in no error. I am not sure if this is a problem with the server stapling an old response or if it is a bug with our OCSP stapling implementation.

I will communicate this with the people working on that site by sending them a message on Twitter @CertCouncil.
Brian, I just saw an expired OCSP Response stapled by casecurity.org.  I was using https://sslanalyzer.comodoca.com/?url=casecurity.org (which doesn't use any NSS or PSM code).  Therefore, it looks like this is indeed "a problem with the server stapling an old response".
A flaw in the OCSP stapling code in nginx, it seems:

http://trac.nginx.org/nginx/browser/nginx/src/event/ngx_event_openssl_stapling.c#L449

(should check for an expired response first, and not call ngx_ssl_stapling_update only after having handed out the current/old response)
This was accepted as a bug in Nginx - http://trac.nginx.org/nginx/ticket/425
Looks like the nginx bug was fixed.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.