[mod_gnutls-devel] mod_gnutls incompatible with Let's Encrypt OSCP responder

A L mail at lechevalier.se
Sat Jul 10 10:40:40 CEST 2021


mod_gnutls is using SHA256 for signing OSCP requests. This is not 
supported by the Let's Encrypt (LE) OSCP responder, as it it only 
supports SHA1 per RFC 5019.

I believe the corresponding code is

  /* GnuTLS doc says that the digest is "normally"
      * GNUTLS_DIG_SHA1. */
     ret = gnutls_ocsp_req_add_cert(r, GNUTLS_DIG_SHA256,
                                    issuer, req_data->cert);

There was a request on LE to support SHA25, but I see compelling 
arguments that SHA1 should be supported by mod_gnutls as well.


Currently, when using mod_gnutls with Apache we see warnings about OSCP 
responses and I think due to this it is also hammering the OSCP 
responder needlessly.


More information about the mod_gnutls-devel mailing list