[mod_gnutls-devel] test-36_OCSP_server_nonce failing in 0.11.0 (Was: New release: mod_gnutls 0.11.0)

pgajdos pgajdos at suse.cz
Mon Jun 29 09:56:56 CEST 2020 

Hi,

On Sat, Jun 27, 2020 at 09:35:20PM +0200, Fiona Klute wrote:
> I have just uploaded a new source archive and matching signature to
> https://mod.gnutls.org/downloads/ as well as the signed
> mod_gnutls/0.11.0 tag to the git repositories [1, 2].

thanks for the new release.

> - Change default for GnuTLSOCSPCheckNonce to "off", and send OCSP nonces
> only if it has been enabled. The reason for this change is that in
> practice most public CAs do not support OCSP nonces, which is permitted
> by both RFC 6960 and the CA/Browser Forum baseline requirements (as of
> version 1.6.9). In this situation enforcing correct nonces by default
> makes the automatic OCSP stapling support mostly useless.

test-36_OCSP_server_nonce test is failing for me, the log is
attached.

Petr

-- 
Have a lot of fun!
-------------- next part --------------
Connecting to OCSP server: localhost...
Could not connect to 127.0.0.1:9936: Connection refused
Resolving 'localhost:9936'...
Connecting to '127.0.0.1:9936'...
Connecting to OCSP server: localhost...

Assuming response's signer = issuer (use --load-signer to override).
Resolving 'localhost:9936'...
Connecting to '127.0.0.1:9936'...
OCSP Response Information:
	Response Status: Successful
	Response Type: Basic OCSP Response
	Version: 1
	Responder ID: CN=Testing Authority OCSP Responder
	Produced At: Mon Jun 29 06:43:00 UTC 2020
	Responses:
		Certificate ID:
			Hash Algorithm: SHA1
			Issuer Name Hash: bac68790352ceb4c4de1534445348f8b4b5309b3
			Issuer Key Hash: 1bc5b230c6819ca393601fc32d10b8b2752e7bfa
			Serial Number: 22fff0d9
		Certificate Status: good
		This Update: Mon Jun 29 06:43:00 UTC 2020
		Next Update: Mon Jun 29 06:48:00 UTC 2020
	Extensions:
		Nonce: bda76c72d988a3372faa2e298a0eb6cb527723f7cba203
	Signature Algorithm: RSA-SHA256

-----BEGIN OCSP RESPONSE-----
MIIG9AoBAKCCBu0wggbpBgkrBgEFBQcwAQEEggbaMIIG1jCB1aEtMCsxKTAnBgNV
BAMTIFRlc3RpbmcgQXV0aG9yaXR5IE9DU1AgUmVzcG9uZGVyGA8yMDIwMDYyOTA2
NDMwMFowZzBlMD0wCQYFKw4DAhoFAAQUusaHkDUs60xN4VNERTSPi0tTCbMEFBvF
sjDGgZyjk2Afwy0QuLJ1Lnv6AgQi//DZgAAYDzIwMjAwNjI5MDY0MzAwWqARGA8y
MDIwMDYyOTA2NDgwMFqhKjAoMCYGCSsGAQUFBzABAgQZBBe9p2xy2YijNy+qLimK
DrbLUncj98uiAzANBgkqhkiG9w0BAQsFAAOCAYEArai9D3z78cp1S69nYMsFRpa2
OGbZJBBcMJGlOSfZo/eaLh5viUIu+rTTFqAbiMj4XHYB6ih1hlOtYgSEl6zAYx5c
YE6EC+Qw8+Gk56ciOaqJR0woW61o0Htgjdz1A3yng34dt2qRSu8y/HEvn4gL5YVt
7Ybci4+vEv6fjdshWkJtKPrWRfv7auPl8dXLehiQ1xurZ+6f6S7jPe/hcQArC7jf
yl0rLOVpwwxntay39Xr3sq25dVw3w5fgayqNJ/6RKFGWrVaMDfJtLph+x1jdq9Xy
5uOpPEJd7yRD/IVu4AEjbnRgCOxRegcZIBKw/BcCeHmrzpzjDee64nktlZa5Nfpo
t6sQ+YJe7BJNEozwhVYnUtAZ7BgkMulc8FMIXuF9Nd3FCn48cdH9a4nZGoNiwJIm
VKHZD0IWnk5As81PcpS2PjFgiuIDr6tPh6S4qG6IKkpbhIgzbjXwb1Nh1lohZ2G7
v1zaUstsUi+H+BYIH/i08f/et5c/+hPQYJ7k7EIQoIIEZjCCBGIwggReMIICxqAD
AgECAhQQvxFAe86Pw+8xF/wabLqRnBuAlzANBgkqhkiG9w0BAQsFADAcMRowGAYD
VQQDExFUZXN0aW5nIEF1dGhvcml0eTAeFw0yMDA2MjkwNjQxNTJaFw0yMTA2Mjkw
NjQxNTJaMCsxKTAnBgNVBAMTIFRlc3RpbmcgQXV0aG9yaXR5IE9DU1AgUmVzcG9u
ZGVyMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuESW06LtNNkn28n8
FnprWuZuEXMqmdc7VtXHxaB74JQtFwsnNzB6/dr90Qg3/i+6uAd0USfvCMDJkMgI
443AQj5daeH/fiwTjqhXsQ1K5zy2Uzz3zSkrztIwQrYF6raf2vOyM1oYpZ8H4v01
M0ydJRUNpskBGL19fn+EYtdnR8HraXUh6EvAo8WdRN7MwqOx2bUIo0vvDqMyjSFd
mdoaB0BObxiHgp9LWuDpjBI0ejH+hri7Oqi424KkVYsLPqohuKSzpffaPTcxtKM1
3pYrXGoxGMSe7hB8mURiN7AAOScN8bheAmVQQZnK8I7DztQGyZ2uM2hCMJcN+POR
8oD7KrSuLfolaKiox0TLDPPK8u50m24ARIPNkMyn6axd6hjMrHc/xUcct+y/hLcD
e8lfnCvH7xJjgxprJj0G1gCnTExhn0mNABwE4mwEdoVyFT7OtONRwCpmcBW82E2D
TRWrGwkXt0DgNJu+R1UCkK1HwurioQ/a3zZsgOmEjIYjoFZLAgMBAAGjgYgwgYUw
DwYJKwYBBQUHMAEFBAIFADAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUF
BwMJMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFAzSQGxBP0G4yyXA7DdkYgRm
u9GBMB8GA1UdIwQYMBaAFDGdH2r2Np+qY6exoxLiARNvOGsjMA0GCSqGSIb3DQEB
CwUAA4IBgQCrHYB3hE7BXqtgh0+TdWBzc3uBedYc0aZSt25XJOYtfXC+WOU97nFo
IPvJ323UlDRj17bGoGKvocH40HwW6qTOrXwhOxb/3hmeut0bZwQyM8w8/0evKOPP
wE7THaKfVrotMShcZzFp8504yKol5UcsNCDLZDgdzRVSMlhzaPubvi75rn2lUtA7
HDJdO8x2xc7NKdyiNhU9sIwEecPHQi7PUXG90NN6w26wOQ4bTSSiAmlIuCs8kLz3
ZEpsCStuogAe0EDGyCAcj7X6DdfLP6jLyH7BCPFGYOheRdhlB9biRHgIFaZshxWZ
85LhvqV+Uu8HqL77iN+y+mYL91vc1JAowZl0RWRhmQwPF9efbXFlYNhZhyrRub8q
y7en/IjqPlzH7y6rH9IRpppo0qY7lmzyzjboP00ZUCeZdhugK6bQiYmWW0K3IlST
rCCscGch/csY8ZGcByWIG/kcaFtqL/bADFdLendVIQrvpAS7O5jp3pMgi09wIEzM
JEu/vTpbQtY=
-----END OCSP RESPONSE-----

Verifying OCSP Response: Success.

[Mon Jun 29 06:43:00.169518 2020] [gnutls:debug] [pid 7861:tid 139887182583808] gnutls_cache.c(367): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_36_OCSP_server_nonce(65536)' created.
Found test 36_OCSP_server_nonce, test dir is /home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce
Starting: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce/ocsp.conf', '-k', 'start', '-DFOREGROUND']
Starting: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce/apache.conf', '-k', 'start', '-DFOREGROUND']
Running test connection 0: Check if the HTTPS server provides an OCSP status
Aquiring lock on test.lock...
Got lock on test.lock.
*** Fatal error: A TLS fatal alert has been received.
Processed 1 CA certificate(s).
Resolving 'localhost:9932'...
Connecting to '127.0.0.1:9932'...
*** Received alert [40]: Handshake failed
[Mon Jun 29 06:43:00.703870 2020] [gnutls:debug] [pid 7925:tid 139782033618944] gnutls_cache.c(367): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_36_OCSP_server_nonce(65536)' created.
Unlocking test.lock...
Unlocked test.lock.
Stopping: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce/apache.conf', '-k', 'stop']
Stopping: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce/ocsp.conf', '-k', 'stop']
Traceback (most recent call last):
  File "./runtest.py", line 256, in <module>
    main(args)
  File "./runtest.py", line 204, in main
    run_test_conf(test_conf,
  File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 569, in run_test_conf
    test_conn.run(timeout=timeout, conn_log=conn_log,
  File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 182, in run
    act.run(conn, response_log)
  File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 242, in run
    raise err
  File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 233, in run
    resp = conn.getresponse()
  File "/usr/lib64/python3.8/http/client.py", line 1332, in getresponse
    response.begin()
  File "/usr/lib64/python3.8/http/client.py", line 303, in begin
    version, status, reason = self._read_status()
  File "/usr/lib64/python3.8/http/client.py", line 264, in _read_status
    line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
  File "/usr/lib64/python3.8/socket.py", line 669, in readinto
    return self._sock.recv_into(b)
ConnectionResetError: [Errno 104] Connection reset by peer
FAIL test-36_OCSP_server_nonce.bash (exit status: 1)

More information about the mod_gnutls-devel mailing list