#1295 CA: OCSP via GET does not work
Closed: Fixed None Opened 9 years ago by edewata.

Currently the CA's builtin OCSP responder does not properly handle OCSP requests sent via HTTP GET. Requests sent via HTTP POST work just fine.

The OCSP responder should have accepted the following request:

GET /ca/ocsp/<base-64 encoded OCSP request>

However, the request doesn't even seem to reach the OCSPServlet since there is no activity in the debug log. For example:

$ curl -v http://`hostname`:8080/ca/ocsp/foo

The above command returns HTTP 404 error code instead of OCSP error.

See also https://fedorahosted.org/freeipa/ticket/4919


https://tools.ietf.org/html/rfc6960#appendix-A.1:

GET {url}/{url-encoding of base-64 encoding of the DER encoding of the OCSPRequest}

Per discussion with Endi on 03/09/2015: 10.3

Moving to 10.2.3 per discussion with mkosek.

pushed to master
commit 267635f87c5ba9382f0931ad3e1b7cb9e42c6a6d

added upgrade script:

commit 2aa7ed131f4d229269088775513f23ec8b3793ec
Author: Christina Fu cfu@redhat.com
Date: Mon May 4 15:51:48 2015 -0700

Ticket 1295 Upgrade script for - CA: OCSP via GET does not work

Metadata Update from @edewata:
- Issue assigned to cfu
- Issue set to the milestone: 10.2.4

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1857

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata