[SOLVED] wget2 OCSP response too old and stapled OCSP failed
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
wget2 OCSP response too old and stapled OCSP failed
Wget2 with openssl does not perform OCSP verification if the server certificate does not contain an OCSP URI and then the connection or download fails
Code:
$ wget2 https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz
[0] Downloading 'https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz' ...
HTTP response 302 [https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz]
Adding URL: https://github-releases.githubusercontent.com/5101141/e4612500-eca9-11e8-8306-c58af06c65f5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211009%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211009T101044Z&X-Amz-Expires=300&X-Amz-Signature=12f57c7b85eaf9c11b2fad1507d2d3cf08630c0920a9bd15c8ccbd958550f254&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=5101141&response-content-disposition=attachment%3B%20filename%3Djq-1.6.tar.gz&response-content-type=application%2Foctet-stream
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
Failed to connect (101)
Failed to connect (101)
Failed to connect (101)
Failed to connect (101)
Failed to connect: Connect error
Here is debug level 2 from stock wget2 (build with openssl)
Code:
[0] Downloading 'http://2' ...
09.174926.882 cookie_create_request_header for host=2 path=(null)
09.174926.882 has 20.205.243.166:443
09.174926.882 trying 20.205.243.166:443...
09.174926.883 OpenSSL initialized
09.174926.883 Sending 'status_request' extension in handshake
09.174926.883 ALPN offering h2
09.174926.883 ALPN offering http/1.1
09.174926.883 No cached TLS session available. Will run a full handshake.
09.174927.171 No HPKP pinning found for host 'github.com'
09.174927.171 OCSP URI not given and not found in certificate. Skipping OCSP check for cert 0.
09.174927.171 OCSP URI not given and not found in certificate. Skipping OCSP check for cert 1.
09.174927.171 No HPKP pinning found for host 'github.com'
09.174927.171 No HPKP pinning found for host 'github.com'
09.174927.171 No stapled OCSP response was received. Continuing.
09.174927.172 Handshake completed (full handshake - not resumed)
09.174927.172 TLS session discarded
09.174927.172 ALPN: Server accepted protocol 'h2'
09.174927.172 established connection github.com
Rebuilding wget2 using gnutls instead of openssl (--with-ssl=gnutls --with-openssl=off) causes wget2 to still perform OCSP verification even though the server certificate does not contain an OCSP URI. In my case wget2 was using the digicert ocsp server. Connect/download completed without error.
Code:
[0] Downloading 'http://2' ...
09.175126.553 cookie_create_request_header for host=2 path=(null)
09.175126.554 has 20.205.243.166:443
09.175126.554 trying 20.205.243.166:443...
09.175126.554 GnuTLS init
09.175126.566 GnuTLS system certificate store is empty
09.175126.566 Certificates loaded: 142
09.175126.566 GnuTLS init done
09.175126.566 TLS False Start requested
09.175126.566 ALPN offering h2
09.175126.566 ALPN offering http/1.1
09.175126.846 host has no pubkey pinnings stored in hpkp db
09.175126.846 host has no pubkey pinnings stored in hpkp db
09.175126.846 host has no pubkey pinnings stored in hpkp db
09.175126.846 host has no pubkey pinnings stored in hpkp db
09.175126.846 resolving ocsp.digicert.com:80...
09.175126.846 has 117.18.237.29:80
09.175126.846 trying 117.18.237.29:80...
09.175126.865 # sent 291 bytes:
POST / HTTP/1.1
Host: ocsp.digicert.com
Accept-Encoding: identity
Accept: */*
Connection: close
Content-Type: application/ocsp-request
Content-Length: 127
Thank you for the info. I've looked for that bug report but couldn't find it. So the culprit is the selected ssl library to link to because of --with-ssl=openssl. Instead of using -lssl, configure using -lopenssl. That is indeed an upstream bug.
--with-openssl explicitly selects the crypto library for checksumming etc.
The TLS library to use is auto-selected in this case.
While --with-ssl=openssl explicitly selects the TLS library to be OpenSSL.
So depending on which dev libraries you installed, both builds may use a different TLS library (or different versions) -
e.g. GnuTLS is preferred over OpenSSL in automatic mode.
It would be interesting to see what you end up with. If you could share the config.log for both cases, I can find out.
This error comes from the fact that the stapled OCSP response is older than 3 days.
I don't know why the check fails in OpenSSL and succeeds in GnuTLS, have to look into that.
In the meanwhile, could you disable that with --no-ocsp-date? That should disable this particular check.
but
Quote:
Hi,
Curiously, the issue ( --with-openssl) no longer exists ...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.