Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCSP requests received with cert=issuer=null when server started with PFX #4127

Closed
djphoenix opened this issue Dec 3, 2015 · 6 comments
Closed
Labels
tls Issues and PRs related to the tls subsystem.

Comments

@djphoenix
Copy link
Contributor

Test script: https://git.phoenix.dj/snippets/6
Place it into folder that contains:

  1. cer.cer: certificate that contains OCSP responder address
  2. cer.key: keyfile for certificate
  3. ca.cer: certificate issuer
  4. cer.pfx: PFX with certificate, ca and key (openssl pkcs12 -export -in cer.cer -inkey cer.key -certfile ca.cer -out cer.pfx -password pass:)

Then run node ocsptest.js
On work PC (Mac OS X EI Capitan, homebrew version):

$ node ocsptest.js 
Node version: v4.1.1 

--- Testing CER+KEY ---
OCSP request { cert: true, issuer: true }
OCSP request { cert: true, issuer: true }
closing...

--- Testing CER+KEY+SNICRT ---
OCSP request { cert: true, issuer: true }
SNI 127.0.0.1
OCSP request { cert: true, issuer: true }
closing...

--- Testing CER+KEY+SNIPFX ---
OCSP request { cert: true, issuer: true }
SNI 127.0.0.1
OCSP request { cert: false, issuer: false }
closing...

--- Testing PFX ---
OCSP request { cert: false, issuer: false }
OCSP request { cert: false, issuer: false }
closing...

--- Testing PFX+SNICRT ---
OCSP request { cert: false, issuer: false }
SNI 127.0.0.1
OCSP request { cert: true, issuer: true }
closing...

--- Testing PFX+SNIPFX ---
OCSP request { cert: false, issuer: false }
SNI 127.0.0.1
OCSP request { cert: false, issuer: false }
closing...

Done

On my server (Debian GNU/Linux 8, deb.nodesource.com/node_4.x):

$ node ocsptest.js 
Node version: v4.2.2 
... exactly same

VMware (Debian GNU/Linux 8, deb.nodesource.com/node_5.x):

$ node ocsptest.js 
Node version: v5.1.0 
... exactly same
@mscdex mscdex added the tls Issues and PRs related to the tls subsystem. label Dec 3, 2015
@mscdex
Copy link
Contributor

mscdex commented Dec 3, 2015

/cc @nodejs/crypto

@indutny
Copy link
Member

indutny commented Dec 5, 2015

Confirmed, working on a fix.

indutny added a commit to indutny/io.js that referenced this issue Dec 5, 2015
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: nodejs#4127
@indutny
Copy link
Member

indutny commented Dec 5, 2015

@djphoenix may I ask you to give a try to this patch, please ? #4165

indutny added a commit to indutny/io.js that referenced this issue Dec 6, 2015
@djphoenix
Copy link
Contributor Author

# ~/nodejs/node-v5.1.1/node ocsptest.js 
Node version: v5.1.1 
... same as reference

# ~/nodejs/node-v5.1.1-patched/node ocsptest.js 
Node version: v5.1.1 

--- Testing CER+KEY ---
OCSP request { cert: true, issuer: true }
OCSP request { cert: true, issuer: true }
closing...

--- Testing CER+KEY+SNICRT ---
OCSP request { cert: true, issuer: true }
SNI 127.0.0.1
OCSP request { cert: true, issuer: true }
closing...

--- Testing CER+KEY+SNIPFX ---
OCSP request { cert: true, issuer: true }
SNI 127.0.0.1
OCSP request { cert: true, issuer: true }
closing...

--- Testing PFX ---
OCSP request { cert: true, issuer: true }
OCSP request { cert: true, issuer: true }
closing...

--- Testing PFX+SNICRT ---
OCSP request { cert: true, issuer: true }
SNI 127.0.0.1
OCSP request { cert: true, issuer: true }
closing...

--- Testing PFX+SNIPFX ---
OCSP request { cert: true, issuer: true }
SNI 127.0.0.1
OCSP request { cert: true, issuer: true }
closing...

Done

Perfect work, @indutny!

@djphoenix
Copy link
Contributor Author

Will fix release for 5.x only, or 4.x too?

@indutny
Copy link
Member

indutny commented Dec 7, 2015

@djphoenix 4.x too

Fishrock123 pushed a commit to Fishrock123/node that referenced this issue Dec 22, 2015
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: nodejs#4127
PR-URL: nodejs#4165
Reviewed-By: Ben Noordhuis <[email protected]>
Fishrock123 pushed a commit to Fishrock123/node that referenced this issue Jan 6, 2016
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: nodejs#4127
PR-URL: nodejs#4165
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit that referenced this issue Jan 13, 2016
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: #4127
PR-URL: #4165
Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins pushed a commit that referenced this issue Jan 19, 2016
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: #4127
PR-URL: #4165
Reviewed-By: Ben Noordhuis <[email protected]>
scovetta pushed a commit to scovetta/node that referenced this issue Apr 2, 2016
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: nodejs#4127
PR-URL: nodejs#4165
Reviewed-By: Ben Noordhuis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

No branches or pull requests

3 participants