nodejs/node

The 'OCSPRequest' callback does not send the OCSP response with TLS 1.3

Open

#28.288 aberto em 19 de jun. de 2019

Ver no GitHub
 (11 comments) (0 reactions) (0 assignees)JavaScript (35.535 forks)batch import
help wantedstaletls

Métricas do repositório

Stars
 (117.218 stars)
Métricas de merge de PR
 (Mesclagem média 18d 17h) (219 fundiu PRs em 30d)

Description

  • Version: v12.4.0
  • Platform: Ubuntu 18.04 x86_64 (kernel 4.15.18)
  • Subsystem: TLS

We are using node 12 to run a HTTPS server for a simple website. I noticed a problem with the OCSPRequest event of the TLS server. For connections with TLS 1.2 or below, the callback (3rd argument) sends send response as expected (OCSPRequest docs). I checked with OpenSSL:

echo QUIT | openssl s_client -connect naos.fleetback.com:443 -servername naos.fleetback.com -status -tls1_2

CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = naos.fleetback.com
verify return:1
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Jun 19 09:31:00 2019 GMT
[...]

But with TLS 1.3 connections, no status is sent back:

echo QUIT | openssl s_client -connect naos.fleetback.com:443 -servername naos.fleetback.com -status -tls1_3

CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = naos.fleetback.com
verify return:1
OCSP response: no response sent
---

We use the "ocsp" package from NPM to handle OCSP caching. I debugged around this code and it always sends the expected <Buffer 30 82 02 0b 0a ...> in the callback.

const ocsp = require('ocsp');
const ocspCache = new ocsp.Cache();

function withOcspRequestCache(tlsServer) {
  tlsServer.on('OCSPRequest', function(cert, issuer, cb) {
    ocsp.getOCSPURI(cert, function(err, url) {
      if (err) return cb(err);
      if (url === null) return cb(null, null);
      const req = ocsp.request.generate(cert, issuer);
      ocspCache.probe(req.id, function(err, cached) {
        if (err) return cb(err);
        if (cached !== false) return cb(null, cached.response);
        ocspCache.request(req.id, { url, ocsp: req.data }, cb);
      });
    });
  });
}

Our server is a HTTP/2 server in compatibility mode. You can check the code below.

const fs = require('fs');
const http2 = require('http2');

const cert = fs.readFileSync(...);
const key = fs.readFileSync(...);
const dhparam = fs.readFileSync('./dhparam.pem');
const options = { cert, key, dhparam, ciphers, honorCipherOrder: false, allowHTTP1: true };
const server = http2.createSecureServer(options);
withOcspRequestCache(server);
server.listen(443, () => console.log('HTTPS server running on port 443'));

It looks like a bug in Node 12. Did you get the OCSPRequest event to work with TLS 1.3?

Thanks for your help.

Guia do colaborador