Description of problem: If an OCSP response has thisUpdate set to a very old date (half a year ago) with nextUpdate in the future, the response is still considered trustworthy. Version-Release number of selected component (if applicable): nss-3.14.3-11.el5 nss-tools-3.14.3-11.el5 How reproducible: Always Steps to Reproduce: 1. Create a CA structure with at least CA and server certificate 2. Run ocspsrvd.jar with "--status GOOD --this-update-offset -0.5y --next-update-offset 1d" options 3. Try to validate server certificate using /usr/lib64/nss/unsupported-tools/ocspclnt -V server -u s Actual results: Verification of certificate "server" succeeded. Expected results: Verification of certificate "server" failed. Reason: The OCSP response contains out-of-date information.
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.