OCSP and Comodo cert

Question

Hi all,&nbsp;I was wondering if somebody ran into the same issue with OCSP and Comodo issued certs.&nbsp;Since last week we're getting "OCSP Check Failed" messages for Comodo issued certificates. We did some tcpdumps to figure out what's going on and it seems that Comodo OCSP URL requires a host header.&nbsp;This was the HTTP response to our OCSP request:&nbsp;Invalid URL
The requested URL "[no URL]", is invalid.

Reference 9.7ce58db.1529652000.5b7f63bA manually performed check confirmed the issue (we're on 12.1.2-HF2):&nbsp; openssl ocsp -issuer comodo-chain-bundle.crt -cert web-certificate.crt -text -url http://ocsp.comodoca.com -no_nonce -verify_other comodo-chain-bundle.crt
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: xxxx
          Issuer Key Hash: yyyy
          Serial Number: zzzz
Error querying OCSP responder
47881717408264:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:247:Code=400,Reason=Bad RequestBy adding a host header to the openssl command we were able to get a successful response:&nbsp; openssl ocsp -issuer comodo-chain-bundle.crt -cert web-certificate.crt -text -url http://ocsp.comodoca.com -no_nonce -verify_other comodo-chain-bundle.crt -header "Host" "ocsp.comodoca.com"
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: xxxx
          Issuer Key Hash: yyyy
          Serial Number: zzzz
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
    Produced At: Jun 20 08:45:26 2018 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: xxxx
      Issuer Key Hash: yyyy
      Serial Number: zzzz
    Cert Status: good
    This Update: Jun 20 08:45:26 2018 GMT
    Next Update: Jun 27 08:45:26 2018 GMT

Signature Algorithm: sha256WithRSAEncryption
         ---snippp---
Response verify OK
web-certificate.crt: good
        This Update: Jun 20 08:45:26 2018 GMT
        Next Update: Jun 27 08:45:26 2018 GMTThe "web-certificate.crt" is issued by&nbsp;Issuer: COMODO RSA Domain Validation Secure Server CA, COMODO CA Limited Write review of ComodoOur "comodo-chain-bundle.crt" contains&nbsp;Common Name: COMODO RSA Domain Validation Secure Server CA
Issuer: COMODO RSA Certification Authority, COMODO CA Limited Write review of Comodo
Common Name: COMODO RSA Certification Authority
Issuer: COMODO RSA Certification Authority, COMODO CA LimitedOur implemented OCSP check doesn't send a host header and we have no issue with certificates issued by other CAs.&nbsp;Does anybody know a workaround? Can we savely add a host header to our OCSP check without affecting the checks of other certificates?&nbsp;Any hint is much appreciated. cheers&nbsp;

jg · Answer

This is an issue with openssl and is fixed in v1.0.2. See https://github.com/openssl/openssl/issues/1986.&nbsp;
The latest BIG-IP (v13.1.0.7) has openssl v1.0.1l installed.&nbsp;

Forum Discussion

OCSP and Comodo cert

Recent Discussions

APM with EntraID as idP / request signed

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Client Cert Request by URI with OCSP Checking

Configuring OCSP Stapling on BIG-IP

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

OCSP Responder

OCSP HTTP Header Specification/Example or field name of EDIPI?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS