Skip to content

Do not OCSP staple invalid OCSP responses#90200

Merged
vcsjones merged 2 commits into
dotnet:mainfrom
vcsjones:ocsp-no-staple-junk
Aug 14, 2023
Merged

Do not OCSP staple invalid OCSP responses#90200
vcsjones merged 2 commits into
dotnet:mainfrom
vcsjones:ocsp-no-staple-junk

Conversation

@vcsjones

@vcsjones vcsjones commented Aug 8, 2023

Copy link
Copy Markdown
Member

Linux will currently staple an invalid OCSP response for as long as the OCSP responder will return an invalid response, such as a maintenance page.

This changes the OCSP fetcher to discard the result if it could not be decoded.

Fixes #89907

@vcsjones vcsjones requested a review from bartonjs August 8, 2023 23:33
@ghost ghost assigned vcsjones Aug 8, 2023
@ghost

ghost commented Aug 8, 2023

Copy link
Copy Markdown

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Linux will currently staple an invalid OCSP response for as long as the OCSP responder will return an invalid response, such as a maintenance page.

This changes the OCSP fetcher to discard the result if it could not be decoded.

Fixes #89907

Author: vcsjones
Assignees: -
Labels:

area-System.Net.Security
Milestone: -

@vcsjones

vcsjones commented Aug 9, 2023

Copy link
Copy Markdown
Member Author

/azp run runtime-libraries-coreclr outerloop-linux

@azure-pipelines

azure-pipelines Bot commented Aug 9, 2023

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

@vcsjones

vcsjones commented Aug 9, 2023

Copy link
Copy Markdown
Member Author

Outerloop failures look unrelated to me. Create_OcspDoesNotReturnOrCacheInvalidStapleData passed.

@jeffhandley jeffhandley requested a review from wfurt August 10, 2023 17:34
wfurt
wfurt approved these changes Aug 14, 2023
View reviewed changes

@wfurt wfurt left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vcsjones vcsjones merged commit 3f65957 into dotnet:main Aug 14, 2023
@vcsjones vcsjones deleted the ocsp-no-staple-junk branch August 14, 2023 22:00
@vcsjones

vcsjones commented Aug 14, 2023

Copy link
Copy Markdown
Member Author

/backport to release/7.0-staging

@github-actions

github-actions Bot commented Aug 14, 2023

Copy link
Copy Markdown
Contributor

Started backporting to release/7.0-staging: https://github.com/dotnet/runtime/actions/runs/5861087862

@github-actions github-actions Bot mentioned this pull request Aug 14, 2023
Closed
@karelz karelz added this to the 8.0.0 milestone Aug 15, 2023
@ghost ghost locked as resolved and limited conversation to collaborators Sep 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bartonjs bartonjs bartonjs approved these changes

@wfurt wfurt wfurt approved these changes

Assignees

@vcsjones vcsjones

Labels

area-System.Net.Security

Projects

None yet

Milestone

8.0.0

Development

Successfully merging this pull request may close these issues.

[OCSP Stapling] Cached bad response of Server-Side OCSP stabling in .NET7 Linux

4 participants

@vcsjones @bartonjs @wfurt @karelz