From 1c7f5ce32e53c4903700bb253a4fce18c17036b2 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 18 Dec 2024 15:48:26 +0100 Subject: [PATCH] MEDIUM: ssl/ocsp: OCSP response is expired with OCSP_MAX_RESPONSE_TIME_SKEW When a OCSP response has a nextUpdate date which is OCSP_MAX_RESPONSE_TIME_SKEW (300) seconds in the future, the OCSP stapling callback ssl_sock_ocsp_stapling_cbk() returns SSL_TLSEXT_ERR_NOACK. However we don't emit an error when trying to load the file. There is a OCSP_check_validity() check using OCSP_MAX_RESPONSE_TIME_SKEW, but it checks that the OCSP response is not thisUpdate is not too much in the past. This patch emits an error during loading so we don't try to load an OCSP response which would never be emitted because of OCSP_MAX_RESPONSE_TIME_SKEW. This was discussed in issue #2822. --- src/ssl_ocsp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index b4c3122e9..fdb26e3d2 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -333,6 +333,11 @@ int ssl_sock_load_ocsp_response(struct buffer *ocsp_response, } #endif + if (ocsp->expire < date.tv_sec) { + memprintf(err, "OCSP single response: no longer valid. Must be valid during at least %ds.", OCSP_MAX_RESPONSE_TIME_SKEW); + goto out; + } + ret = 0; out: ERR_clear_error();