View Issue Details

IDProjectCategoryView StatusLast Update
0000656Main CAcert Websitecertificate issuingpublic2013-01-15 07:54
Reporterweedy Assigned ToSourcerer  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version2009 Q3 
Summary0000656: OCSP request using GET method
DescriptionOpera now uses GET instead of POST to query OCSP servers. Please update your servers to work with GET.
Additional InformationOn Thu, 27 Nov 2008 11:50:08 +0100, Weedy <weedy2887@gmail.com> wrote:

> Can you add an override for http://ocsp.cacert.org/ to use the POST method?

No. We only add that override for servers chaining to roots we ship in the repository, and it is only intended as a temporary measure until the server has been fixed.

If the server have problems with GET OCSP requests it should be updated so that it actually complies with the RFC.

--
Sincerely,
Yngve N. Pettersen
 
********************************************************************
Senior Developer Email: yngve@opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 24 16 42 60 Fax: +47 24 16 40 01
********************************************************************
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

weedy

2009-03-03 00:03

reporter   ~0001291

uhhh huge bump? This shouldn't take so long.

weedy

2009-03-03 00:04

reporter   ~0001292

Last edited: 2009-03-03 00:05

hmmm opera seems to hate bugs.cacert.org, or my ISP.

scippio

2009-03-04 13:54

reporter   ~0001295

This is the biggest problem! I can't use cacert because Opera loading my page very long with cacert...

scippio

2009-03-13 23:37

reporter   ~0001310

Hmm interesting ... in new Opera (9.64) is loading normal...

scippio

2009-03-16 02:49

reporter   ~0001314

Last edited: 2009-03-16 02:50

In old versions ( tested on Opera 9.27 and 9.63 ) is now ok! :)

weedy

2009-03-22 03:42

reporter   ~0001323

www-client/opera-9.64 might not take forever to timeout now, but it still throws a OCSP error. This is not fixed yet.

Sourcerer

2009-03-22 17:25

administrator   ~0001324

CAcert is currently using an improved version of OCSPD from OpenCA (http://www.openca.org/ocspd/ ):
http://www2.futureware.at/~philipp/openca-ocspd-1.5.2-cacert3.tar.gz

Please provide a patch for HTTP GET support for OCSPD.

Daniel Black

2009-06-06 11:53

reporter   ~0001431

as the ocspd service, has http://ejbca.sourceforge.net/ been considered. The following attributes may be useful:
1. maintained and documented
2. rfc2560 and rfc5019 supported (included GET and caching)
3. can work from database view (or replicated slave, or periodic database update) - schema http://www.ejbca.org/library/tables/CertificateData.html
4. claims high performance (hundreds per second (http://ejbca.sourceforge.net/architecture-ocsp.html)) (and include stress test to be sure or compare to existing)
5. LGPL license and other dependencies are OSI licenses.

mnemoc

2009-06-06 12:33

developer   ~0001432

afaik the problem we have with those tools is that we deal with several times more users than them, and that will get even "worse" if we hit mozilla.

Daniel Black

2009-06-06 16:19

reporter   ~0001433

looking at the currently implementation it looks like were iterating over the CRL for each request (embedded within openssl - sk_X509_REVOKED_find).

I'm tempted to load test them side by side to be sure.

By supporting GET methods front end caches become effective.

Anyone got a benchmark on what the current OCSP request rate is? and expected growth?

Sourcerer

2009-09-23 18:39

administrator   ~0001481

I have merged AOL's patches into our version 3, which now gives version 4:

http://www2.futureware.at/~philipp/openca-ocspd-1.5.2-cacert4.tar.gz

Theoretically, this should implement GET support now. Please test it.

Daniel Black

2009-09-24 02:55

reporter   ~0001482

The way to test it is (I thought you'd deployed this philipp) is:
cert.pem - the certificate to check

$ openssl ocsp -no_cert_verify -url http://ocsp.cacert.org -issuer /etc/ssl/certs/root.pem -cert cert.pem -reqout /tmp/ocsp-req.txt

# note: -w 0 is no line wrapping
$ wget http://ocsp.cacert.org/`base64 -w 0 < /tmp/ocsp-req.txt` -O /tmp/ocsp-resp.txt

$ openssl ocsp -respin /tmp/ocsp-resp.txt -resp_text

nore: A new opera (version 10 and 10.10_prerelease) with CAcert's certificates imported aborted TLS connections to sites signed by our CAs.

Daniel Black

2009-09-24 05:52

reporter   ~0001483

ok - i did some testing. GET and POST method of ocsp works. no config file changes. Exhaustive testing not done.

A compiled version and tarball is on ocsp:/home/dan/openca-ocspd-1.5.2-cacert4*

no code changes.

Feel free to deploy.

Sourcerer

2009-09-24 21:08

administrator   ~0001484

I have deployed the new OCSPD version.

I also added GET testing support for our OCSP regression testing system:
http://svn.cacert.org/CAcert/Software/OcspTest-1.3.tar.bz2

Sourcerer

2009-09-24 21:08

administrator   ~0001485

Please test and close the bug.

Issue History

Date Modified Username Field Change
2008-11-27 15:48 weedy New Issue
2009-03-03 00:03 weedy Note Added: 0001291
2009-03-03 00:04 weedy Note Added: 0001292
2009-03-03 00:05 weedy Note Edited: 0001292
2009-03-04 13:54 scippio Note Added: 0001295
2009-03-13 23:37 scippio Note Added: 0001310
2009-03-16 02:49 scippio Note Added: 0001314
2009-03-16 02:50 scippio Note Edited: 0001314
2009-03-22 03:42 weedy Note Added: 0001323
2009-03-22 17:25 Sourcerer Note Added: 0001324
2009-03-22 17:26 Sourcerer Status new => @30@
2009-06-06 11:53 Daniel Black Note Added: 0001431
2009-06-06 12:33 mnemoc Note Added: 0001432
2009-06-06 16:19 Daniel Black Note Added: 0001433
2009-09-23 18:39 Sourcerer Note Added: 0001481
2009-09-24 02:55 Daniel Black Note Added: 0001482
2009-09-24 05:52 Daniel Black Note Added: 0001483
2009-09-24 21:08 Sourcerer Note Added: 0001484
2009-09-24 21:08 Sourcerer Note Added: 0001485
2009-09-24 21:08 Sourcerer Status @30@ => solved?
2010-07-27 16:08 Sourcerer Status solved? => closed
2010-07-27 16:08 Sourcerer Resolution open => fixed
2010-07-27 16:08 Sourcerer Assigned To => Sourcerer
2013-01-15 07:54 Werner Dworak Fixed in Version => 2009 Q3