airtower-luna / mod_gnutls Goto Github PK

Many, unfortunately not yet all, test definition files (test/tests/*/test.yaml) have descriptions for their test connections. Those descriptions are currently only used in the test logs. It'd be nice to be able to generate a human-readable overview of all test cases, their connections, and the associated descriptions.

Write a Python script that compiles this information from the YAML files. The output should be markdown, optionally with a Makefile target to generate HTML if pandoc is available.

Currently test configuration files in test/tests/*/ as described in the test implementation documentation must be manually added to EXTRA_DIST in test/tests/Makefile.am so they get included in distribution archives.

Likewise, tests need an entry in test_scripts in test/Makefile.am to actually be executed.

Create a script that automatically updates those lists based on the content of the test/tests/ directory when run. The script is meant to be run by developers as needed, followed by a manual commit. It should not be run automatically at any point or interact with git (except possibly to check if there are any changes).

Describe the bug

Please describe precisely what the problem is.

Version

Which version of mod_gnutls are you using, and which operating
system/distribution?

How To Reproduce

What exactly are you doing, and what happens?

1. Configure the server like this: [...]
2. Run [...]
3. Do this or that [...]
4. Error happens: [...]

Expected behavior

What do you expect to happen instead?

/#
/## Describe the bug

Please describe precisely what the problem is.

Version

Which version of mod_gnutls are you using, and which operating
system/distribution?

How To Reproduce

What exactly are you doing, and what happens?

1. Configure the server like this: [...]
2. Run [...]
3. Do this or that [...]
4. Error happens: [...]

Expected behavior

What do you expect to happen instead?

Describe the bug

mod_gnutls uses SHA256 for signing OSCP requests, which does not work with Let's Encrypt.

Version

mod_gnutls-0.11
gnutls-3.7.1
apache-2.4.48

Comments

We can read in the Baseline Requirements section 4.9.10: On-line revocation checking requirements[1] that:
OCSP responders operated by the CA SHALL support the HTTP GET method, as described in RFC 6960 and/or RFC 5019

From what I can find out, the RFC 6960[2] does not say which hash algorithms to support, while the older RFC 5019[3] in section 2.1.1 says:
Clients MUST use SHA1 as the hashing algorithm for the CertID.issuerNameHash and the CertID.issuerKeyHash values.

There has been a long thread about the issue over at the Let's Encrypt community forum[4] which also lead to a feature request for SHA256 support with Let's Encrypt[5]

It might a good thing for mod_gnutls to support Let's Encrypt as it is a very popular CA these days.

Apache Logs

[Thu Jul 08 10:18:18.184778 2021] [gnutls:error] [pid 3743:tid 140005030573632] Invalid HTTP response status from r3.o.lencr.org: HTTP/1.0 400 Bad Request
[Thu Jul 08 10:18:18.194329 2021] [gnutls:error] [pid 3743:tid 140005030573632] (104)Connection reset by peer: [client 192.168.0.123:45403] Caching a fresh OCSP response failed
[Thu Jul 08 10:18:36.620187 2021] [gnutls:error] [pid 3724:tid 140005022180928] Invalid HTTP response status from r3.o.lencr.org: HTTP/1.0 400 Bad Request
[Thu Jul 08 10:18:36.620289 2021] [gnutls:error] [pid 3724:tid 140005022180928] (104)Connection reset by peer: [client 162.158.134.73:10982] Caching a fresh OCSP response failed
...very many lines...
[Thu Jul 08 20:40:55.240304 2021] [gnutls:error] [pid 3743:tid 140004055578176] Invalid HTTP response status from r3.o.lencr.org: HTTP/1.0 400 Bad Request
[Thu Jul 08 20:40:55.240428 2021] [gnutls:error] [pid 3743:tid 140004055578176] (104)Connection reset by peer: [client 2a01:4f9:c010:739b::1:41676] Caching a fresh OCSP response failed
[Thu Jul 08 20:41:08.445713 2021] [gnutls:error] [pid 3743:tid 140005030573632] Invalid HTTP response status from r3.o.lencr.org: HTTP/1.0 400 Bad Request
[Thu Jul 08 20:41:08.445801 2021] [gnutls:error] [pid 3743:tid 140005030573632] (104)Connection reset by peer: [client 104.197.157.91:33832] Caching a fresh OCSP response failed

[Thu Jul 08 10:17:46.849336 2021] [gnutls:warn] [pid 3719:tid 140005416871808] Could not create OCSP stapling configuration for certificate 1 in chain (CN=R3,O=Let's Encrypt,C=US): No OCSP URI in the certificate nor a GnuTLSOCSPResponseFile setting, cannot configure OCSP stapling.
[Thu Jul 08 10:17:46.898264 2021] [gnutls:warn] [pid 3720:tid 140005416871808] Could not create OCSP stapling configuration for certificate 1 in chain (CN=R3,O=Let's Encrypt,C=US): No OCSP URI in the certificate nor a GnuTLSOCSPResponseFile setting, cannot configure OCSP stapling.

[1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.3.pdf
[2] https://datatracker.ietf.org/doc/html/rfc6960
[3] https://datatracker.ietf.org/doc/html/rfc5019#section-2.1.1
[4] https://community.letsencrypt.org/t/support-mod-gnutls-with-apache/155015/43
[5] letsencrypt/boulder#5523