From mail at lechevalier.se Sun Jul 4 20:14:15 2021 From: mail at lechevalier.se (A L) Date: Sun, 4 Jul 2021 20:14:15 +0200 (GMT+02:00) Subject: [mod_gnutls-devel] https://mod.gnutls.org/ website error Message-ID: <52017aa.64d95779.17a72ba6113@lechevalier.se> Hi, I'm getting website errors while browsing through https://mod.gnutls.org/ https://paste.tnonline.net/files/vWtgKOcD7TCC_Screenshot_20210704-201232_Opera.png Warning: Failed to sync with repository "(default)": [Errno 12] Cannot allocate memory; From mail at lechevalier.se Sat Jul 10 10:40:40 2021 From: mail at lechevalier.se (A L) Date: Sat, 10 Jul 2021 10:40:40 +0200 Subject: [mod_gnutls-devel] mod_gnutls incompatible with Let's Encrypt OSCP responder Message-ID: <482da47a-a5ff-4eae-8207-dd297f29796e@lechevalier.se> Hi, mod_gnutls is using SHA256 for signing OSCP requests. This is not supported by the Let's Encrypt (LE) OSCP responder, as it it only supports SHA1 per RFC 5019. I believe the corresponding code is https://github.com/airtower-luna/mod_gnutls/blob/a6b3ae34c7bb069bf166530ed6fab71b7cd2139d/src/gnutls_ocsp.c#L201 /* GnuTLS doc says that the digest is "normally" * GNUTLS_DIG_SHA1. */ ret = gnutls_ocsp_req_add_cert(r, GNUTLS_DIG_SHA256, issuer, req_data->cert); There was a request on LE to support SHA25, but I see compelling arguments that SHA1 should be supported by mod_gnutls as well. https://github.com/letsencrypt/boulder/issues/5523 https://github.com/airtower-luna/mod_gnutls/issues/3 Currently, when using mod_gnutls with Apache we see warnings about OSCP responses and I think due to this it is also hammering the OSCP responder needlessly. Thanks!