airtower-luna / mod_gnutls Goto Github PK

Describe the bug

Please describe precisely what the problem is.

Version

Which version of mod_gnutls are you using, and which operating
system/distribution?

How To Reproduce

What exactly are you doing, and what happens?

1. Configure the server like this: [...]
2. Run [...]
3. Do this or that [...]
4. Error happens: [...]

Expected behavior

What do you expect to happen instead?

/#
/## Describe the bug

Please describe precisely what the problem is.

Version

Which version of mod_gnutls are you using, and which operating
system/distribution?

How To Reproduce

What exactly are you doing, and what happens?

1. Configure the server like this: [...]
2. Run [...]
3. Do this or that [...]
4. Error happens: [...]

Expected behavior

What do you expect to happen instead?

Currently test configuration files in test/tests/*/ as described in the test implementation documentation must be manually added to EXTRA_DIST in test/tests/Makefile.am so they get included in distribution archives.

Likewise, tests need an entry in test_scripts in test/Makefile.am to actually be executed.

Create a script that automatically updates those lists based on the content of the test/tests/ directory when run. The script is meant to be run by developers as needed, followed by a manual commit. It should not be run automatically at any point or interact with git (except possibly to check if there are any changes).

Describe the bug

mod_gnutls uses SHA256 for signing OSCP requests, which does not work with Let's Encrypt.

Version

mod_gnutls-0.11
gnutls-3.7.1
apache-2.4.48

Comments

We can read in the Baseline Requirements section 4.9.10: On-line revocation checking requirements[1] that:
OCSP responders operated by the CA SHALL support the HTTP GET method, as described in RFC 6960 and/or RFC 5019

From what I can find out, the RFC 6960[2] does not say which hash algorithms to support, while the older RFC 5019[3] in section 2.1.1 says:
Clients MUST use SHA1 as the hashing algorithm for the CertID.issuerNameHash and the CertID.issuerKeyHash values.

There has been a long thread about the issue over at the Let's Encrypt community forum[4] which also lead to a feature request for SHA256 support with Let's Encrypt[5]

It might a good thing for mod_gnutls to support Let's Encrypt as it is a very popular CA these days.

Apache Logs

[Thu Jul 08 10:18:18.184778 2021] [gnutls:error] [pid 3743:tid 140005030573632] Invalid HTTP response status from r3.o.lencr.org: HTTP/1.0 400 Bad Request
[Thu Jul 08 10:18:18.194329 2021] [gnutls:error] [pid 3743:tid 140005030573632] (104)Connection reset by peer: [client 192.168.0.123:45403] Caching a fresh OCSP response failed
[Thu Jul 08 10:18:36.620187 2021] [gnutls:error] [pid 3724:tid 140005022180928] Invalid HTTP response status from r3.o.lencr.org: HTTP/1.0 400 Bad Request
[Thu Jul 08 10:18:36.620289 2021] [gnutls:error] [pid 3724:tid 140005022180928] (104)Connection reset by peer: [client 162.158.134.73:10982] Caching a fresh OCSP response failed
...very many lines...
[Thu Jul 08 20:40:55.240304 2021] [gnutls:error] [pid 3743:tid 140004055578176] Invalid HTTP response status from r3.o.lencr.org: HTTP/1.0 400 Bad Request
[Thu Jul 08 20:40:55.240428 2021] [gnutls:error] [pid 3743:tid 140004055578176] (104)Connection reset by peer: [client 2a01:4f9:c010:739b::1:41676] Caching a fresh OCSP response failed
[Thu Jul 08 20:41:08.445713 2021] [gnutls:error] [pid 3743:tid 140005030573632] Invalid HTTP response status from r3.o.lencr.org: HTTP/1.0 400 Bad Request
[Thu Jul 08 20:41:08.445801 2021] [gnutls:error] [pid 3743:tid 140005030573632] (104)Connection reset by peer: [client 104.197.157.91:33832] Caching a fresh OCSP response failed

[Thu Jul 08 10:17:46.849336 2021] [gnutls:warn] [pid 3719:tid 140005416871808] Could not create OCSP stapling configuration for certificate 1 in chain (CN=R3,O=Let's Encrypt,C=US): No OCSP URI in the certificate nor a GnuTLSOCSPResponseFile setting, cannot configure OCSP stapling.
[Thu Jul 08 10:17:46.898264 2021] [gnutls:warn] [pid 3720:tid 140005416871808] Could not create OCSP stapling configuration for certificate 1 in chain (CN=R3,O=Let's Encrypt,C=US): No OCSP URI in the certificate nor a GnuTLSOCSPResponseFile setting, cannot configure OCSP stapling.

[1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.3.pdf
[2] https://datatracker.ietf.org/doc/html/rfc6960
[3] https://datatracker.ietf.org/doc/html/rfc5019#section-2.1.1
[4] https://community.letsencrypt.org/t/support-mod-gnutls-with-apache/155015/43
[5] letsencrypt/boulder#5523

Many, unfortunately not yet all, test definition files (test/tests/*/test.yaml) have descriptions for their test connections. Those descriptions are currently only used in the test logs. It'd be nice to be able to generate a human-readable overview of all test cases, their connections, and the associated descriptions.

Write a Python script that compiles this information from the YAML files. The output should be markdown, optionally with a Makefile target to generate HTML if pandoc is available.