New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto/ocsp: misleading diagnostic on cert mismatch #19540
Labels
FrozenDueToAge
help wanted
NeedsFix
The path to resolution is known, but the work has not been done.
Milestone
Comments
bradfitz
changed the title
x/crypto/ocsp misleading diagnostic on cert mismatch
x/crypto/ocsp: misleading diagnostic on cert mismatch
Mar 21, 2017
/cc @agl |
bradfitz
added
help wanted
NeedsFix
The path to resolution is known, but the work has not been done.
labels
Mar 21, 2017
That does seem unhelpful. /cc @kreichgauer |
CL https://golang.org/cl/44005 mentions this issue. |
c-expert-zigbee
pushed a commit
to c-expert-zigbee/crypto_go
that referenced
this issue
Mar 28, 2022
ParseResponseForCert would previously complain about an invalid hash OID if the response contained no SingleResponse matching the certificate provided by the caller. Fixes golang/go#19540 Change-Id: I0354c4048707a788ed3d184cc88b4f13f65544ba Reviewed-on: https://go-review.googlesource.com/44005 Reviewed-by: Adam Langley <agl@golang.org>
c-expert-zigbee
pushed a commit
to c-expert-zigbee/crypto_go
that referenced
this issue
Mar 29, 2022
ParseResponseForCert would previously complain about an invalid hash OID if the response contained no SingleResponse matching the certificate provided by the caller. Fixes golang/go#19540 Change-Id: I0354c4048707a788ed3d184cc88b4f13f65544ba Reviewed-on: https://go-review.googlesource.com/44005 Reviewed-by: Adam Langley <agl@golang.org>
jasonwvh
pushed a commit
to jasonwvh/ocsp
that referenced
this issue
Jul 13, 2022
ParseResponseForCert would previously complain about an invalid hash OID if the response contained no SingleResponse matching the certificate provided by the caller. Fixes golang/go#19540 Change-Id: I0354c4048707a788ed3d184cc88b4f13f65544ba Reviewed-on: https://go-review.googlesource.com/44005 Reviewed-by: Adam Langley <agl@golang.org>
LewiGoddard
pushed a commit
to LewiGoddard/crypto
that referenced
this issue
Feb 16, 2023
ParseResponseForCert would previously complain about an invalid hash OID if the response contained no SingleResponse matching the certificate provided by the caller. Fixes golang/go#19540 Change-Id: I0354c4048707a788ed3d184cc88b4f13f65544ba Reviewed-on: https://go-review.googlesource.com/44005 Reviewed-by: Adam Langley <agl@golang.org>
BiiChris
pushed a commit
to BiiChris/crypto
that referenced
this issue
Sep 15, 2023
ParseResponseForCert would previously complain about an invalid hash OID if the response contained no SingleResponse matching the certificate provided by the caller. Fixes golang/go#19540 Change-Id: I0354c4048707a788ed3d184cc88b4f13f65544ba Reviewed-on: https://go-review.googlesource.com/44005 Reviewed-by: Adam Langley <agl@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
FrozenDueToAge
help wanted
NeedsFix
The path to resolution is known, but the work has not been done.
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
go version
)?go version go1.8 freebsd/amd64
What operating system and processor architecture are you using (
go env
)?What did you do?
I used my tool
go.pennock.tech/smtpdane
to check the status of the certificate on my SMTP server, with OCSP checks enabled; the OCSP logic usesgolang.org/x/crypto/ocsp
. In cron,smtpdane -q -expect-ocsp -mx spodhuis.org
is invoked; for a period of time it reported:The second line there is straight from the OCSP library and is the error returned when OCSP validation failed.
It turns out, my automated Let's Encrypt renewal needed to also invoke the OCSP renewal instead of leaving it to cron. Obvious in retrospect.
What
unsupported issuer hash algorithm
actually meant in this context wasOCSP staple not for this certificate
.What did you expect to see?
A diagnostic message pointing reasonably to how I had messed up and the nature of the cryptographic failure.
What did you see instead?
A bogus message about
unsupported issuer hash algorithm
. The hash algorithm was fine.The text was updated successfully, but these errors were encountered: