Invalid cached OCSP response might be used
klkvsk opened this issue · 1 comments
I got reports of MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error code today from Firefox users of my website. I've noticed that the certificate has been renewed minutes before reports began.
This led me to conclusion that OCSP stapling routine is not called right after new certificate is installed. Then I found that in set_ocsp_stapling (ssl_certificate.lua:210) OCSP response is being cached for 1 hour and the cache key is "domain:ocsp:" .. domain, BUT in order to request an actual OCSP stapling you provide your full certificate, not the domain name alone.
Therefore, since there's no cache invalidation after certificate is renewed, there might be situations, where cached OCSP stapling for an older certificate is used in response with newer certificate.
So maybe should the cache key include certificate fingerprint instead of domain name?
We just encountered the exact same issue.
It seems suggested fix would work in this case.
Can we expect a patch anytime soon?