ocsp server analysis

Kiyor | Created: 10-28-15 10:15:24, Last Update: 11-03-15 08:07:22



Did some analysis on ocsp project, this is the knowledge that you might want to know.

  • vassg142.ocsp.omniroot.com CyberTrust via Verizon using Akamai
dig vassg142.ocsp.omniroot.com @8.8.8.8

; <<>> DiG 9.8.3-P1 <<>> vassg142.ocsp.omniroot.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34278
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;vassg142.ocsp.omniroot.com.    IN  A

;; ANSWER SECTION:
vassg142.ocsp.omniroot.com. 264 IN  CNAME   vassg.omniroot.com.edgesuite.net.
vassg.omniroot.com.edgesuite.net. 21070 IN CNAME a1158.b.akamai.net.
a1158.b.akamai.net. 19  IN  A   184.51.0.11
a1158.b.akamai.net. 19  IN  A   184.51.0.27

;; Query time: 69 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Oct 28 17:11:59 2015
;; MSG SIZE  rcvd: 151
  • ocsp.digicert.com digicert using Edgecast(Verizon)
dig ocsp.digicert.com @8.8.8.8

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> ocsp.digicert.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1034
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ocsp.digicert.com.     IN  A

;; ANSWER SECTION:
ocsp.digicert.com.  8578    IN  CNAME   cs9.wac.phicdn.net.
cs9.wac.phicdn.net. 1403    IN  A   72.21.91.29

;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 29 00:14:38 2015
;; MSG SIZE  rcvd: 83
  • ocsp.comodoca.com comodo no CDN
dig ocsp.comodoca.com @8.8.8.8

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> ocsp.comodoca.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18036
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ocsp.comodoca.com.     IN  A

;; ANSWER SECTION:
ocsp.comodoca.com.  60  IN  A   178.255.83.1

;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 29 00:18:55 2015
;; MSG SIZE  rcvd: 51

I made a script to tell the detail nginx like behavior.

#!/bin/bash

site=$1
server=$site

crtfile="/tmp/${site}.crt"
chainfile="/tmp/${site}.ca.crt"
respfile="${site}.resp"
reqfile="/tmp/${site}.req"
tmpfile="/tmp/tmp"

openssl s_client -connect ${server}:443 -servername $site 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > $crtfile
cat $crtfile|head -n -1|tail -n+2 >$tmpfile

url=`openssl x509 -noout -ocsp_uri -in $crtfile`

openssl s_client -connect ${server}:443 -servername $site -showcerts 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | grep -v -f $tmpfile | tail -n+2 > $chainfile

host=`echo $url|awk -F'/' '{ print $3 }'`
echo "ocsp url: $url"

openssl ocsp -noverify -issuer $chainfile -cert $crtfile -respout $respfile -reqout $reqfile -url $url

b64=`cat $reqfile|base64|tr -d '\n'`

echo "b64: $b64"
requri=`echo -n $b64|perl -p -e 's/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg'`

requrl="$url/$requri"
echo "get resp via url : $requrl"

curl -IXGET $requrl

echo "nginx ssl_stapling_file : $respfile"

If nginx able to get $requrl then it would work. So you able to use CDN host ocsp server. Then use your own DNS inside nginx. If you use openssl ocsp with -host $CDNIP you will get fail. Guess this is because other information need provide from CDN server.

Warning: From my experience, nginx ssl_stapling_file will note update after ocsp response expired


Category: work