Closed Bug 923887 Opened 11 years ago Closed 9 years ago

Intermittent sec_error_ocsp_old_response on https://casecurity.org; possible regression from OCSP stapling

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: briansmith, Unassigned)

Details

On two occasions since we enabled OCSP stapling when visiting https://casecurity.org/, I have received the sec_error_ocsp_old_response error. Attempting to load the site again results in no error. I am not sure if this is a problem with the server stapling an old response or if it is a bug with our OCSP stapling implementation. I will communicate this with the people working on that site by sending them a message on Twitter @CertCouncil.
Brian, I just saw an expired OCSP Response stapled by casecurity.org. I was using https://sslanalyzer.comodoca.com/?url=casecurity.org (which doesn't use any NSS or PSM code). Therefore, it looks like this is indeed "a problem with the server stapling an old response".
A flaw in the OCSP stapling code in nginx, it seems: http://trac.nginx.org/nginx/browser/nginx/src/event/ngx_event_openssl_stapling.c#L449 (should check for an expired response first, and not call ngx_ssl_stapling_update only after having handed out the current/old response)
This was accepted as a bug in Nginx - http://trac.nginx.org/nginx/ticket/425
Looks like the nginx bug was fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.