Infrastructure/caddy
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-23 22:27:38 -05:00
Code Issues Activity

tls: Final check of OCSP response validity date before stapling

Browse source
This commit is contained in:
Matthew Holt 2017-10-16 17:25:55 -06:00
parent c6a2911725
commit a2db340378
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
caddytls/crypto.go
View file

@ -151,6 +151,13 @@ func stapleOCSP(cert *Certificate, pemBundle []byte) error {
// the certificate. If the OCSP response was not loaded from // the certificate. If the OCSP response was not loaded from
// storage, we persist it for next time. // storage, we persist it for next time.
if ocspResp.Status == ocsp.Good { if ocspResp.Status == ocsp.Good {
if ocspResp.NextUpdate.After(cert.NotAfter) {
// uh oh, this OCSP response expires AFTER the certificate does, that's kinda bogus.
// it was the reason a lot of Symantec-validated sites (not Caddy) went down
// in October 2017. https://twitter.com/mattiasgeniar/status/919432824708648961
return fmt.Errorf("invalid: OCSP response for %v valid after certificate expiration (%s)",
cert.Names, cert.NotAfter.Sub(ocspResp.NextUpdate))
}
cert.Certificate.OCSPStaple = ocspBytes cert.Certificate.OCSPStaple = ocspBytes
cert.OCSP = ocspResp cert.OCSP = ocspResp
if gotNewOCSP { if gotNewOCSP {