nodejs/node

The 'OCSPRequest' callback does not send the OCSP response with TLS 1.3

Open

#28.288 aperta il 19 giu 2019

Vedi su GitHub
 (11 commenti) (0 reazioni) (0 assegnatari)JavaScript (35.535 fork)batch import
help wantedstaletls

Metriche repository

Star
 (117.218 star)
Metriche merge PR
 (Merge medio 18g 17h) (219 PR mergiate in 30 g)

Descrizione

  • Version: v12.4.0
  • Platform: Ubuntu 18.04 x86_64 (kernel 4.15.18)
  • Subsystem: TLS

We are using node 12 to run a HTTPS server for a simple website. I noticed a problem with the OCSPRequest event of the TLS server. For connections with TLS 1.2 or below, the callback (3rd argument) sends send response as expected (OCSPRequest docs). I checked with OpenSSL:

echo QUIT | openssl s_client -connect naos.fleetback.com:443 -servername naos.fleetback.com -status -tls1_2

CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = naos.fleetback.com
verify return:1
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Jun 19 09:31:00 2019 GMT
[...]

But with TLS 1.3 connections, no status is sent back:

echo QUIT | openssl s_client -connect naos.fleetback.com:443 -servername naos.fleetback.com -status -tls1_3

CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = naos.fleetback.com
verify return:1
OCSP response: no response sent
---

We use the "ocsp" package from NPM to handle OCSP caching. I debugged around this code and it always sends the expected <Buffer 30 82 02 0b 0a ...> in the callback.

const ocsp = require('ocsp');
const ocspCache = new ocsp.Cache();

function withOcspRequestCache(tlsServer) {
  tlsServer.on('OCSPRequest', function(cert, issuer, cb) {
    ocsp.getOCSPURI(cert, function(err, url) {
      if (err) return cb(err);
      if (url === null) return cb(null, null);
      const req = ocsp.request.generate(cert, issuer);
      ocspCache.probe(req.id, function(err, cached) {
        if (err) return cb(err);
        if (cached !== false) return cb(null, cached.response);
        ocspCache.request(req.id, { url, ocsp: req.data }, cb);
      });
    });
  });
}

Our server is a HTTP/2 server in compatibility mode. You can check the code below.

const fs = require('fs');
const http2 = require('http2');

const cert = fs.readFileSync(...);
const key = fs.readFileSync(...);
const dhparam = fs.readFileSync('./dhparam.pem');
const options = { cert, key, dhparam, ciphers, honorCipherOrder: false, allowHTTP1: true };
const server = http2.createSecureServer(options);
withOcspRequestCache(server);
server.listen(443, () => console.log('HTTPS server running on port 443'));

It looks like a bug in Node 12. Did you get the OCSPRequest event to work with TLS 1.3?

Thanks for your help.

Guida contributor