Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-17462

OCSP response rejected when nextUpdate field not set

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • rhel-9.5
    • None
    • mod_md
    • None
    • mod_md-2.4.26-1.el9
    • Medium
    • rhel-sst-cs-stacks
    • ssg_core_services
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None

      Actually the package mod_md is not able to see the OCSP status of a certificate when nextUpdate field is not set. Directly mod_md rejects the responses when nextUpdate is not set. You can see the specifications in the following RFC:

      https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.2.1
      If nextUpdate is not set, the responder is indicating that newer
      revocation information is available all the time
      {{}}

      For example, the following CA/B Forum Baseline Requirements -specifies the requirements for publicly trusted CAs - require an OCSP response validity period >= 8 hours and <= 10 days.

      Instead of mod_md rejecting these responses when nextUpdate is not set,  it should set valid.end to valid.start plus some fixed interval

              luhliari@redhat.com Lubos Uhliarik
              rh-ee-jfont Josep Andreu Font
              Lubos Uhliarik Lubos Uhliarik
              Iveta Cesalova Iveta Cesalova
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: