Inspired by Paul Kehrer's research a few months ago, I've added a
continuous OCSP Monitoring feature to crt.sh:
https://crt.sh/ocsp-responders
This page shows the latest results of 3 OCSP checks (performed hourly)
against each CA / Responder URL that crt.sh has ever encountered:
1. a GET request for an unexpired certificate.
2. a POST request for an unexpired certificate.
3. a POST request for a randomly-generated serial number.
The results can be sorted and filtered in various ways: try editing the
form at the top of the page and then clicking "Update"; or try clicking
a value in any of the "Response" columns.
The "B" (for "Bytes") column lists the size of each HTTP response.
Click on any of these values and you'll see the actual OCSP response
that crt.sh saw; each OCSP response can be viewed as a hex dump, ASN.1
dump, or in the text form used by "openssl ocsp -resp_text".
There are many well behaved Responders, but there's also a wealth of
interesting misbehaviours to explore!
Some example reports:
1. CAs / Responder URLs that are in scope for, but violate, the BR
prohibition on returning a signed a "Good" response for a random serial
number, and are also in scope for Mozilla's consideration:
https://crt.sh/ocsp-responders?trustedExclude=constrained%2Cexpired%2Conecrl&trustedBy=Mozilla&trustedFor=Server+Authentication&randomserial=Good
2. All CAs / Responder URLs, sorted by GET response size (largest first):
https://crt.sh/ocsp-responders?dir=^&sort=6
3. All CAs / Responder URLs, sorted by GET response time (fastest first):
https://crt.sh/ocsp-responders?dir=v&sort=10
(No surprise that Comodo's OCSP Responders are fastest from this
particular network perspective ;-) ).
4. All CAs / Responder URLs where 'comodo' is a substring of the
Responder URL:
https://crt.sh/ocsp-responders?url=%25comodo%25
On 15/11/17 00:19, Paul Kehrer via dev-security-policy wrote:
Hi Ben,
DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação
Electrónica do Estado, C=PT
Downloading the issuer (https://crt.sh/?id=8949008) and then running:
openssl ocsp -issuer 8949008.crt -serial 101010101010101101010101010
-no_nonce -url http://ocsp.root.cartaodecidadao.pt/publico/ocsp -noverify
gives this response:
101010101010101101010101010: good
This Update: Nov 14 23:59:47 2017 GMT
So this does not appear to be resolved.
DN: C=PT, O=SCEE, CN=ECRaizEstado
The SCEE root for the Government of Portugal is now responding with
unknown/revoked statuses.
DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A.,
OU=Accredited Certification Authority, CN=MULTICERT Certification Authority
002
Download https://crt.sh/?id=8642581 and run:
openssl ocsp -issuer 8642581.crt -serial 101010101010101101010101010
-no_nonce -url http://ocsp.multicert.com/ocsp -noverify
and
openssl ocsp -issuer 8642581.crt -serial 101010101010101101010101010
-no_nonce -url http://ocsp.multicert.com/procsp -noverify
and the responses are:
101010101010101101010101010: good
This Update: Nov 15 00:03:40 2017 GMT
Next Update: Nov 15 00:03:40 2017 GMT
101010101010101101010101010: good
This Update: Nov 15 00:03:58 2017 GMT
Next Update: Nov 15 00:03:58 2017 GMT
Not fixed.
DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A.,
OU=Entidade de Certificação Credenciada, CN=MULTICERT - Entidade de
Certificação 001
(Issuer: https://crt.sh/?id=128496365)
openssl ocsp -issuer 128496365.crt -serial 1010101010101010101002101010
-no_nonce -noverify -url http://ocsp.multicert.com/ocsp
1010101010101010101002101010: good
This Update: Nov 15 00:15:45 2017 GMT
Next Update: Nov 15 00:15:45 2017 GMT
Also not fixed.
I believe Kathleen has opened bugzilla issues for these so it would
probably be good to copy this correspondence there as well.
-Paul
On November 15, 2017 at 6:50:43 AM, Ben Wilson (ben.wil...@digicert.com)
wrote:
Could someone re-check Multicert and SCEE? (See below.) They have
indicated to us that they have now patched their OCSP responder systems.
DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação
Electrónica do Estado, C=PT
Example cert: https://crt.sh/?id=12729446
OCSP URI: http://ocsp.root.cartaodecidadao.pt/publico/ocsp
DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A.,
OU=Accredited Certification Authority, CN=MULTICERT Certification Authority
002
Example cert: https://crt.sh/?id=117934576
OCSP URI: http://ocsp.multicert.com/ocsp
OCSP URI: http://ocsp.multicert.com/procsp
DN: C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A.,
OU=Entidade de Certificação Credenciada, CN=MULTICERT - Entidade de
Certificação 001
Example cert: https://crt.sh/?id=11653177
OCSP URI: http://ocsp.multicert.com/ocsp
DigiCert/Government of Portugal, Sistema de Certificação Electrónica do
Estado (SCEE) / Electronic Certification System of the State:
DN: C=PT, O=SCEE, CN=ECRaizEstado
Example cert: https://crt.sh/?id=8322256
OCSP URI: http://ocsp.ecee.gov.pt
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
