Bug 984688 - OCSP responses with very old thisUpdate are accepted (primary discussion in bug 996544) [rhel-5]
OCSP responses with very old thisUpdate are accepted (primary discussion in b...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss (Show other bugs)
5.10
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: Elio Maldonado Batiz
BaseOS QE Security Team
:
Depends On:
Blocks: 996544 1049888 995148 1013057
  Show dependency treegraph
 
Reported: 2013-07-15 13:06 EDT by Hubert Kario
Modified: 2014-10-23 10:35 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 995148 996544 1013057 (view as bug list)
Environment:
Last Closed: 2014-10-23 10:35:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Hubert Kario 2013-07-15 13:06:03 EDT
Description of problem:
If an OCSP response has thisUpdate set to a very old date (half a year ago) with nextUpdate in the future, the response is still considered trustworthy.

Version-Release number of selected component (if applicable):
nss-3.14.3-11.el5
nss-tools-3.14.3-11.el5

How reproducible:
Always

Steps to Reproduce:
1. Create a CA structure with at least CA and server certificate
2. Run ocspsrvd.jar with "--status GOOD --this-update-offset -0.5y --next-update-offset 1d" options
3. Try to validate server certificate using /usr/lib64/nss/unsupported-tools/ocspclnt -V server -u s

Actual results:
Verification of certificate "server" succeeded.

Expected results:
Verification of certificate "server" failed.  Reason:
The OCSP response contains out-of-date information.
Comment 2 RHEL Product and Program Management 2013-07-24 00:03:27 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 4 RHEL Product and Program Management 2014-01-22 11:29:56 EST
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 12 RHEL Product and Program Management 2014-07-15 20:26:33 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 14 RHEL Product and Program Management 2014-10-23 10:35:45 EDT
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.