[mod_gnutls-devel] mod_gnutls incompatible with Let's Encrypt OSCP responder
A L
mail at lechevalier.se
Sat Jul 10 10:40:40 CEST 2021
Hi,
mod_gnutls is using SHA256 for signing OSCP requests. This is not
supported by the Let's Encrypt (LE) OSCP responder, as it it only
supports SHA1 per RFC 5019.
I believe the corresponding code is
https://github.com/airtower-luna/mod_gnutls/blob/a6b3ae34c7bb069bf166530ed6fab71b7cd2139d/src/gnutls_ocsp.c#L201
/* GnuTLS doc says that the digest is "normally"
* GNUTLS_DIG_SHA1. */
ret = gnutls_ocsp_req_add_cert(r, GNUTLS_DIG_SHA256,
issuer, req_data->cert);
There was a request on LE to support SHA25, but I see compelling
arguments that SHA1 should be supported by mod_gnutls as well.
https://github.com/letsencrypt/boulder/issues/5523
https://github.com/airtower-luna/mod_gnutls/issues/3
Currently, when using mod_gnutls with Apache we see warnings about OSCP
responses and I think due to this it is also hammering the OSCP
responder needlessly.
Thanks!
More information about the mod_gnutls-devel
mailing list