From a2db340378b6a56fb3d8b885103bb07e67abc97a Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Mon, 16 Oct 2017 17:25:55 -0600
Subject: [PATCH] tls: Final check of OCSP response validity date before
 stapling

---
 caddytls/crypto.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/caddytls/crypto.go b/caddytls/crypto.go
index 3ebc4be4..3036834c 100644
--- a/caddytls/crypto.go
+++ b/caddytls/crypto.go
@@ -151,6 +151,13 @@ func stapleOCSP(cert *Certificate, pemBundle []byte) error {
 	// the certificate. If the OCSP response was not loaded from
 	// storage, we persist it for next time.
 	if ocspResp.Status == ocsp.Good {
+		if ocspResp.NextUpdate.After(cert.NotAfter) {
+			// uh oh, this OCSP response expires AFTER the certificate does, that's kinda bogus.
+			// it was the reason a lot of Symantec-validated sites (not Caddy) went down
+			// in October 2017. https://twitter.com/mattiasgeniar/status/919432824708648961
+			return fmt.Errorf("invalid: OCSP response for %v valid after certificate expiration (%s)",
+				cert.Names, cert.NotAfter.Sub(ocspResp.NextUpdate))
+		}
 		cert.Certificate.OCSPStaple = ocspBytes
 		cert.OCSP = ocspResp
 		if gotNewOCSP {