x/crypto/ocsp: misleading diagnostic on cert mismatch #19540

philpennock · 2017-03-14T05:03:43Z

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (`go version`)?

go version go1.8 freebsd/amd64

What operating system and processor architecture are you using (`go env`)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="freebsd"
GOOS="freebsd"
GOPATH="/home/pdp/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/freebsd_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -gno-record-gcc-switches"
CXX="clang++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"

What did you do?

I used my tool go.pennock.tech/smtpdane to check the status of the certificate on my SMTP server, with OCSP checks enabled; the OCSP logic uses golang.org/x/crypto/ocsp. In cron, smtpdane -q -expect-ocsp -mx spodhuis.org is invoked; for a period of time it reported:

OCSP: response invalid for mx.spodhuis.org from Let's Encrypt Authority X3:
        unsupported issuer hash algorithm

The second line there is straight from the OCSP library and is the error returned when OCSP validation failed.

It turns out, my automated Let's Encrypt renewal needed to also invoke the OCSP renewal instead of leaving it to cron. Obvious in retrospect.

What unsupported issuer hash algorithm actually meant in this context was OCSP staple not for this certificate.

What did you expect to see?

A diagnostic message pointing reasonably to how I had messed up and the nature of the cryptographic failure.

What did you see instead?

A bogus message about unsupported issuer hash algorithm. The hash algorithm was fine.

The text was updated successfully, but these errors were encountered:

bradfitz · 2017-03-21T00:02:32Z

/cc @agl

agl · 2017-03-24T21:59:40Z

That does seem unhelpful. /cc @kreichgauer

gopherbot · 2017-05-24T00:03:13Z

CL https://golang.org/cl/44005 mentions this issue.

ParseResponseForCert would previously complain about an invalid hash OID if the response contained no SingleResponse matching the certificate provided by the caller. Fixes golang/go#19540 Change-Id: I0354c4048707a788ed3d184cc88b4f13f65544ba Reviewed-on: https://go-review.googlesource.com/44005 Reviewed-by: Adam Langley <agl@golang.org>

bradfitz changed the title ~~x/crypto/ocsp misleading diagnostic on cert mismatch~~ x/crypto/ocsp: misleading diagnostic on cert mismatch Mar 21, 2017

bradfitz added this to the Unreleased milestone Mar 21, 2017

bradfitz added help wanted NeedsFix The path to resolution is known, but the work has not been done. labels Mar 21, 2017

agl self-assigned this Mar 24, 2017

gopherbot closed this as completed in golang/crypto@e1a4589 Jun 1, 2017

golang locked and limited conversation to collaborators Jun 1, 2018

gopherbot added the FrozenDueToAge label Jun 1, 2018

rsc unassigned agl Jun 23, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/crypto/ocsp: misleading diagnostic on cert mismatch #19540

x/crypto/ocsp: misleading diagnostic on cert mismatch #19540

philpennock commented Mar 14, 2017

bradfitz commented Mar 21, 2017

agl commented Mar 24, 2017

gopherbot commented May 24, 2017

x/crypto/ocsp: misleading diagnostic on cert mismatch #19540

x/crypto/ocsp: misleading diagnostic on cert mismatch #19540

Comments

philpennock commented Mar 14, 2017

What version of Go are you using (go version)?

What operating system and processor architecture are you using (go env)?

What did you do?

What did you expect to see?

What did you see instead?

bradfitz commented Mar 21, 2017

agl commented Mar 24, 2017

gopherbot commented May 24, 2017

What version of Go are you using (`go version`)?

What operating system and processor architecture are you using (`go env`)?