OCSP requests received with cert=issuer=null when server started with PFX #4127

djphoenix · 2015-12-03T08:35:46Z

Test script: https://git.phoenix.dj/snippets/6
Place it into folder that contains:

cer.cer: certificate that contains OCSP responder address
cer.key: keyfile for certificate
ca.cer: certificate issuer
cer.pfx: PFX with certificate, ca and key (openssl pkcs12 -export -in cer.cer -inkey cer.key -certfile ca.cer -out cer.pfx -password pass:)

Then run node ocsptest.js
On work PC (Mac OS X EI Capitan, homebrew version):

$ node ocsptest.js 
Node version: v4.1.1 

--- Testing CER+KEY ---
OCSP request { cert: true, issuer: true }
OCSP request { cert: true, issuer: true }
closing...

--- Testing CER+KEY+SNICRT ---
OCSP request { cert: true, issuer: true }
SNI 127.0.0.1
OCSP request { cert: true, issuer: true }
closing...

--- Testing CER+KEY+SNIPFX ---
OCSP request { cert: true, issuer: true }
SNI 127.0.0.1
OCSP request { cert: false, issuer: false }
closing...

--- Testing PFX ---
OCSP request { cert: false, issuer: false }
OCSP request { cert: false, issuer: false }
closing...

--- Testing PFX+SNICRT ---
OCSP request { cert: false, issuer: false }
SNI 127.0.0.1
OCSP request { cert: true, issuer: true }
closing...

--- Testing PFX+SNIPFX ---
OCSP request { cert: false, issuer: false }
SNI 127.0.0.1
OCSP request { cert: false, issuer: false }
closing...

Done

On my server (Debian GNU/Linux 8, deb.nodesource.com/node_4.x):

$ node ocsptest.js 
Node version: v4.2.2 
... exactly same

VMware (Debian GNU/Linux 8, deb.nodesource.com/node_5.x):

$ node ocsptest.js 
Node version: v5.1.0 
... exactly same

The text was updated successfully, but these errors were encountered:

mscdex · 2015-12-03T08:42:28Z

/cc @nodejs/crypto

indutny · 2015-12-05T21:40:19Z

Confirmed, working on a fix.

Load the certificate chain from the PFX file the same as we do it for a regular certificate chain. Fix: nodejs#4127

indutny · 2015-12-05T21:55:02Z

@djphoenix may I ask you to give a try to this patch, please ? #4165

djphoenix · 2015-12-06T12:12:09Z

# ~/nodejs/node-v5.1.1/node ocsptest.js 
Node version: v5.1.1 
... same as reference

# ~/nodejs/node-v5.1.1-patched/node ocsptest.js 
Node version: v5.1.1 

--- Testing CER+KEY ---
OCSP request { cert: true, issuer: true }
OCSP request { cert: true, issuer: true }
closing...

--- Testing CER+KEY+SNICRT ---
OCSP request { cert: true, issuer: true }
SNI 127.0.0.1
OCSP request { cert: true, issuer: true }
closing...

--- Testing CER+KEY+SNIPFX ---
OCSP request { cert: true, issuer: true }
SNI 127.0.0.1
OCSP request { cert: true, issuer: true }
closing...

--- Testing PFX ---
OCSP request { cert: true, issuer: true }
OCSP request { cert: true, issuer: true }
closing...

--- Testing PFX+SNICRT ---
OCSP request { cert: true, issuer: true }
SNI 127.0.0.1
OCSP request { cert: true, issuer: true }
closing...

--- Testing PFX+SNIPFX ---
OCSP request { cert: true, issuer: true }
SNI 127.0.0.1
OCSP request { cert: true, issuer: true }
closing...

Done

Perfect work, @indutny!

djphoenix · 2015-12-07T07:26:50Z

Will fix release for 5.x only, or 4.x too?

indutny · 2015-12-07T07:31:50Z

@djphoenix 4.x too

Load the certificate chain from the PFX file the same as we do it for a regular certificate chain. Fix: nodejs#4127 PR-URL: nodejs#4165 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

Load the certificate chain from the PFX file the same as we do it for a regular certificate chain. Fix: #4127 PR-URL: #4165 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

Load the certificate chain from the PFX file the same as we do it for a regular certificate chain. Fix: nodejs#4127 PR-URL: nodejs#4165 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

mscdex added the tls Issues and PRs related to the tls subsystem. label Dec 3, 2015

indutny added a commit to indutny/io.js that referenced this issue Dec 5, 2015

crypto: load PFX chain the same way as regular one

d04c1f6

Load the certificate chain from the PFX file the same as we do it for a regular certificate chain. Fix: nodejs#4127

indutny mentioned this issue Dec 5, 2015

crypto: load PFX chain the same way as regular one #4165

Closed

indutny added a commit to indutny/io.js that referenced this issue Dec 6, 2015

test: add regression test for nodejs#4127

4e9d541

indutny closed this as completed in a2c1799 Dec 18, 2015

MylesBorins mentioned this issue Jan 13, 2016

tls_wrap: clear errors on return #4515

Closed

snyk-bot mentioned this issue Jul 13, 2021

[Snyk] Upgrade rollup from 2.32.1 to 2.52.2 XirdigH/node-22#23

Open

snyk-bot mentioned this issue Apr 30, 2023

[Snyk] Fix for 15 vulnerabilities aliscco/alisco-node#387

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OCSP requests received with cert=issuer=null when server started with PFX #4127

OCSP requests received with cert=issuer=null when server started with PFX #4127

djphoenix commented Dec 3, 2015

mscdex commented Dec 3, 2015

indutny commented Dec 5, 2015

indutny commented Dec 5, 2015

djphoenix commented Dec 6, 2015

djphoenix commented Dec 7, 2015

indutny commented Dec 7, 2015

OCSP requests received with cert=issuer=null when server started with PFX #4127

OCSP requests received with cert=issuer=null when server started with PFX #4127

Comments

djphoenix commented Dec 3, 2015

mscdex commented Dec 3, 2015

indutny commented Dec 5, 2015

indutny commented Dec 5, 2015

djphoenix commented Dec 6, 2015

djphoenix commented Dec 7, 2015

indutny commented Dec 7, 2015