openssl: OCSP client verify fails when responder requires "Host" header

Using openssl ocsp (client) to verify a certificate fails when the responder requires host header.

This is a “known” issue with startssl (startcom) responders- but it keeps tripping people up. (It’s only “known” to you once you trip over it and do the research, which is annoying.)

It is possible to work-around this with the undocumented -header switch as shown below.

-header should be documented!
ocsp (client) should send a host header with its request by default.
ocsp (client) should probably also have a -servername option

Example:

# openssl version
OpenSSL 1.0.2h  3 May 2016
# openssl ocsp -issuer root_bundle.crt -cert avh.crt -url http://ocsp.startssl.com  -CAfile /etc/pki/tls/external-roots/ca_bundle.pem   -VAfile startcom_ocsp.pem
Error querying OCSP responder
3086117020:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=400,Reason=Bad Request
#
# # Add -header 'host' 'ocsp.startssl.com' to the command
#
# openssl ocsp -issuer root_bundle.crt -cert avh.crt -url http://ocsp.startssl.com -header 'host' 'ocsp.startssl.com' -CAfile /etc/pki/tls/external-roots/ca_bundle.pem   -VAfile startcom_ocsp.pem
WARNING: no nonce in response
Response verify OK
avh.crt: good
        This Update: Nov 23 10:23:57 2016 GMT
        Next Update: Nov 27 10:33:57 2016 GMT

This should be easy to reproduce - startcom offers free domain verified certificates (See startssl.com, “free” option). There’s nothing special about mine.

But I’ve attached the files used in the example. (The -CAfile is from the Perl Mozilla::CA module).

startcom_ocsp.pem.txt avh.crt.txt root_bundle.crt.txt

This has been an issue since at least 2013 - see this webpage, which is where I found it documented.

About this issue

Original URL
State: closed
Created 8 years ago
Reactions: 1
Comments: 15 (8 by maintainers)

Links to this issue

Commits related to this issue

Add explicit host in cert check Seems to be possible with certain OCSP responders. Presumably, the responder at Comodo changed. cf. https://github.com/openssl/openssl/issues/1986 — committed to knuton/driver by knuton 6 years ago

Most upvoted comments

Sure. I’ll upgrade – when BIND can compile and run with 1.1.0; ISC reports that you and they have issues with API changes in 1.1.0. And assuming I don’t encounter other software with issues.

For a ‘workable’ solution: you should at least document that some OCSP responders require '-header host <the hostname from -url or -host>, and typically respond with an HTTP 400 or other error if this option is not specified. Just saying that ‘-header name value’ lets you add custom http headers would not be helpful for most users.

It’s your team’s decision; I’m just a user. When an engineer wants to do something about an issue, it’s a bug. When he doesn’t, it’s a feature. Considering the small scope of the fix (or “feature”) and the customer pain that it’s caused for at least the past 3 years, if it were my project, I’d make the change.

I’ve done my duty to report and research the issue. I know what my fingers (and scripts) need to do for now. Disposition is in the OpenSSL team’s hands.

tlhackque on Dec 2, 2016