[mod_gnutls-devel] mod_gnutls incompatible with Let's Encrypt OSCP responder
mail at lechevalier.se
Sat Jul 10 10:40:40 CEST 2021
mod_gnutls is using SHA256 for signing OSCP requests. This is not
supported by the Let's Encrypt (LE) OSCP responder, as it it only
supports SHA1 per RFC 5019.
I believe the corresponding code is
/* GnuTLS doc says that the digest is "normally"
* GNUTLS_DIG_SHA1. */
ret = gnutls_ocsp_req_add_cert(r, GNUTLS_DIG_SHA256,
There was a request on LE to support SHA25, but I see compelling
arguments that SHA1 should be supported by mod_gnutls as well.
Currently, when using mod_gnutls with Apache we see warnings about OSCP
responses and I think due to this it is also hammering the OSCP
More information about the mod_gnutls-devel