Red Hat Bugzilla – Bug 984688
OCSP responses with very old thisUpdate are accepted (primary discussion in bug 996544) [rhel-5]
Last modified: 2014-10-23 10:35:45 EDT
Description of problem:
If an OCSP response has thisUpdate set to a very old date (half a year ago) with nextUpdate in the future, the response is still considered trustworthy.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a CA structure with at least CA and server certificate
2. Run ocspsrvd.jar with "--status GOOD --this-update-offset -0.5y --next-update-offset 1d" options
3. Try to validate server certificate using /usr/lib64/nss/unsupported-tools/ocspclnt -V server -u s
Verification of certificate "server" succeeded.
Verification of certificate "server" failed. Reason:
The OCSP response contains out-of-date information.
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release. Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products. This request is not yet committed for inclusion in
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.