nodejs/node

The 'OCSPRequest' callback does not send the OCSP response with TLS 1.3

Open

#28,288 opened on Jun 19, 2019

View on GitHub
 (11 comments) (0 reactions) (0 assignees)JavaScript (35,535 forks)batch import
help wantedstaletls

Repository metrics

Stars
 (117,218 stars)
PR merge metrics
 (Avg merge 18d 17h) (219 merged PRs in 30d)

Description

  • Version: v12.4.0
  • Platform: Ubuntu 18.04 x86_64 (kernel 4.15.18)
  • Subsystem: TLS

We are using node 12 to run a HTTPS server for a simple website. I noticed a problem with the OCSPRequest event of the TLS server. For connections with TLS 1.2 or below, the callback (3rd argument) sends send response as expected (OCSPRequest docs). I checked with OpenSSL:

echo QUIT | openssl s_client -connect naos.fleetback.com:443 -servername naos.fleetback.com -status -tls1_2

CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = naos.fleetback.com
verify return:1
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Jun 19 09:31:00 2019 GMT
[...]

But with TLS 1.3 connections, no status is sent back:

echo QUIT | openssl s_client -connect naos.fleetback.com:443 -servername naos.fleetback.com -status -tls1_3

CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = naos.fleetback.com
verify return:1
OCSP response: no response sent
---

We use the "ocsp" package from NPM to handle OCSP caching. I debugged around this code and it always sends the expected <Buffer 30 82 02 0b 0a ...> in the callback.

const ocsp = require('ocsp');
const ocspCache = new ocsp.Cache();

function withOcspRequestCache(tlsServer) {
  tlsServer.on('OCSPRequest', function(cert, issuer, cb) {
    ocsp.getOCSPURI(cert, function(err, url) {
      if (err) return cb(err);
      if (url === null) return cb(null, null);
      const req = ocsp.request.generate(cert, issuer);
      ocspCache.probe(req.id, function(err, cached) {
        if (err) return cb(err);
        if (cached !== false) return cb(null, cached.response);
        ocspCache.request(req.id, { url, ocsp: req.data }, cb);
      });
    });
  });
}

Our server is a HTTP/2 server in compatibility mode. You can check the code below.

const fs = require('fs');
const http2 = require('http2');

const cert = fs.readFileSync(...);
const key = fs.readFileSync(...);
const dhparam = fs.readFileSync('./dhparam.pem');
const options = { cert, key, dhparam, ciphers, honorCipherOrder: false, allowHTTP1: true };
const server = http2.createSecureServer(options);
withOcspRequestCache(server);
server.listen(443, () => console.log('HTTPS server running on port 443'));

It looks like a bug in Node 12. Did you get the OCSPRequest event to work with TLS 1.3?

Thanks for your help.

Contributor guide