View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000656 | Main CAcert Website | certificate issuing | public | 2008-11-27 15:48 | 2013-01-15 07:54 |
Reporter | weedy | Assigned To | Sourcerer | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 2009 Q3 | ||||
Summary | 0000656: OCSP request using GET method | ||||
Description | Opera now uses GET instead of POST to query OCSP servers. Please update your servers to work with GET. | ||||
Additional Information | On Thu, 27 Nov 2008 11:50:08 +0100, Weedy <weedy2887@gmail.com> wrote: > Can you add an override for http://ocsp.cacert.org/ to use the POST method? No. We only add that override for servers chaining to roots we ship in the repository, and it is only intended as a temporary measure until the server has been fixed. If the server have problems with GET OCSP requests it should be updated so that it actually complies with the RFC. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ******************************************************************** | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
|
uhhh huge bump? This shouldn't take so long. |
|
hmmm opera seems to hate bugs.cacert.org, or my ISP. |
|
This is the biggest problem! I can't use cacert because Opera loading my page very long with cacert... |
|
Hmm interesting ... in new Opera (9.64) is loading normal... |
|
In old versions ( tested on Opera 9.27 and 9.63 ) is now ok! :) |
|
www-client/opera-9.64 might not take forever to timeout now, but it still throws a OCSP error. This is not fixed yet. |
|
CAcert is currently using an improved version of OCSPD from OpenCA (http://www.openca.org/ocspd/ ): http://www2.futureware.at/~philipp/openca-ocspd-1.5.2-cacert3.tar.gz Please provide a patch for HTTP GET support for OCSPD. |
|
as the ocspd service, has http://ejbca.sourceforge.net/ been considered. The following attributes may be useful: 1. maintained and documented 2. rfc2560 and rfc5019 supported (included GET and caching) 3. can work from database view (or replicated slave, or periodic database update) - schema http://www.ejbca.org/library/tables/CertificateData.html 4. claims high performance (hundreds per second (http://ejbca.sourceforge.net/architecture-ocsp.html)) (and include stress test to be sure or compare to existing) 5. LGPL license and other dependencies are OSI licenses. |
|
afaik the problem we have with those tools is that we deal with several times more users than them, and that will get even "worse" if we hit mozilla. |
|
looking at the currently implementation it looks like were iterating over the CRL for each request (embedded within openssl - sk_X509_REVOKED_find). I'm tempted to load test them side by side to be sure. By supporting GET methods front end caches become effective. Anyone got a benchmark on what the current OCSP request rate is? and expected growth? |
|
I have merged AOL's patches into our version 3, which now gives version 4: http://www2.futureware.at/~philipp/openca-ocspd-1.5.2-cacert4.tar.gz Theoretically, this should implement GET support now. Please test it. |
|
The way to test it is (I thought you'd deployed this philipp) is: cert.pem - the certificate to check $ openssl ocsp -no_cert_verify -url http://ocsp.cacert.org -issuer /etc/ssl/certs/root.pem -cert cert.pem -reqout /tmp/ocsp-req.txt # note: -w 0 is no line wrapping $ wget http://ocsp.cacert.org/`base64 -w 0 < /tmp/ocsp-req.txt` -O /tmp/ocsp-resp.txt $ openssl ocsp -respin /tmp/ocsp-resp.txt -resp_text nore: A new opera (version 10 and 10.10_prerelease) with CAcert's certificates imported aborted TLS connections to sites signed by our CAs. |
|
ok - i did some testing. GET and POST method of ocsp works. no config file changes. Exhaustive testing not done. A compiled version and tarball is on ocsp:/home/dan/openca-ocspd-1.5.2-cacert4* no code changes. Feel free to deploy. |
|
I have deployed the new OCSPD version. I also added GET testing support for our OCSP regression testing system: http://svn.cacert.org/CAcert/Software/OcspTest-1.3.tar.bz2 |
|
Please test and close the bug. |
Date Modified | Username | Field | Change |
---|---|---|---|
2008-11-27 15:48 | weedy | New Issue | |
2009-03-03 00:03 | weedy | Note Added: 0001291 | |
2009-03-03 00:04 | weedy | Note Added: 0001292 | |
2009-03-03 00:05 | weedy | Note Edited: 0001292 | |
2009-03-04 13:54 | scippio | Note Added: 0001295 | |
2009-03-13 23:37 | scippio | Note Added: 0001310 | |
2009-03-16 02:49 | scippio | Note Added: 0001314 | |
2009-03-16 02:50 | scippio | Note Edited: 0001314 | |
2009-03-22 03:42 | weedy | Note Added: 0001323 | |
2009-03-22 17:25 | Sourcerer | Note Added: 0001324 | |
2009-03-22 17:26 | Sourcerer | Status | new => @30@ |
2009-06-06 11:53 | Daniel Black | Note Added: 0001431 | |
2009-06-06 12:33 | mnemoc | Note Added: 0001432 | |
2009-06-06 16:19 | Daniel Black | Note Added: 0001433 | |
2009-09-23 18:39 | Sourcerer | Note Added: 0001481 | |
2009-09-24 02:55 | Daniel Black | Note Added: 0001482 | |
2009-09-24 05:52 | Daniel Black | Note Added: 0001483 | |
2009-09-24 21:08 | Sourcerer | Note Added: 0001484 | |
2009-09-24 21:08 | Sourcerer | Note Added: 0001485 | |
2009-09-24 21:08 | Sourcerer | Status | @30@ => solved? |
2010-07-27 16:08 | Sourcerer | Status | solved? => closed |
2010-07-27 16:08 | Sourcerer | Resolution | open => fixed |
2010-07-27 16:08 | Sourcerer | Assigned To | => Sourcerer |
2013-01-15 07:54 | Werner Dworak | Fixed in Version | => 2009 Q3 |