wget2 OCSP response too old and stapled OCSP failed
by walecha from LinuxQuestions.org on (#5QHEH)
Wget2 with openssl does not perform OCSP verification if the server certificate does not contain an OCSP URI and then the connection or download fails
Code:$ wget2 https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz
[0] Downloading 'https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz' ...
HTTP response 302 [https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz]
Adding URL: https://github-releases.githubusercontent.com/5101141/e4612500-eca9-11e8-8306-c58af06c65f5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211009%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211009T101044Z&X-Amz-Expires=300&X-Amz-Signature=12f57c7b85eaf9c11b2fad1507d2d3cf08630c0920a9bd15c8ccbd958550f254&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=5101141&response-content-disposition=attachment%3B%20filename%3Djq-1.6.tar.gz&response-content-type=application%2Foctet-stream
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
Failed to connect (101)
Failed to connect (101)
Failed to connect (101)
Failed to connect (101)
Failed to connect: Connect errorHere is debug level 2 from stock wget2 (build with openssl)
Code:[0] Downloading 'http://2' ...
09.174926.882 cookie_create_request_header for host=2 path=(null)
09.174926.882 has 20.205.243.166:443
09.174926.882 trying 20.205.243.166:443...
09.174926.883 OpenSSL initialized
09.174926.883 Sending 'status_request' extension in handshake
09.174926.883 ALPN offering h2
09.174926.883 ALPN offering http/1.1
09.174926.883 No cached TLS session available. Will run a full handshake.
09.174927.171 No HPKP pinning found for host 'github.com'
09.174927.171 OCSP URI not given and not found in certificate. Skipping OCSP check for cert 0.
09.174927.171 OCSP URI not given and not found in certificate. Skipping OCSP check for cert 1.
09.174927.171 No HPKP pinning found for host 'github.com'
09.174927.171 No HPKP pinning found for host 'github.com'
09.174927.171 No stapled OCSP response was received. Continuing.
09.174927.172 Handshake completed (full handshake - not resumed)
09.174927.172 TLS session discarded
09.174927.172 ALPN: Server accepted protocol 'h2'
09.174927.172 established connection github.comRebuilding wget2 using gnutls instead of openssl (--with-ssl=gnutls --with-openssl=off) causes wget2 to still perform OCSP verification even though the server certificate does not contain an OCSP URI. In my case wget2 was using the digicert ocsp server. Connect/download completed without error.
Code:[0] Downloading 'http://2' ...
09.175126.553 cookie_create_request_header for host=2 path=(null)
09.175126.554 has 20.205.243.166:443
09.175126.554 trying 20.205.243.166:443...
09.175126.554 GnuTLS init
09.175126.566 GnuTLS system certificate store is empty
09.175126.566 Certificates loaded: 142
09.175126.566 GnuTLS init done
09.175126.566 TLS False Start requested
09.175126.566 ALPN offering h2
09.175126.566 ALPN offering http/1.1
09.175126.846 host has no pubkey pinnings stored in hpkp db
09.175126.846 host has no pubkey pinnings stored in hpkp db
09.175126.846 host has no pubkey pinnings stored in hpkp db
09.175126.846 host has no pubkey pinnings stored in hpkp db
09.175126.846 resolving ocsp.digicert.com:80...
09.175126.846 has 117.18.237.29:80
09.175126.846 trying 117.18.237.29:80...
09.175126.865 # sent 291 bytes:
POST / HTTP/1.1
Host: ocsp.digicert.com
Accept-Encoding: identity
Accept: */*
Connection: close
Content-Type: application/ocsp-request
Content-Length: 127
Code:$ wget2 https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz
[0] Downloading 'https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz' ...
HTTP response 302 [https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz]
Adding URL: https://github-releases.githubusercontent.com/5101141/e4612500-eca9-11e8-8306-c58af06c65f5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211009%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211009T101044Z&X-Amz-Expires=300&X-Amz-Signature=12f57c7b85eaf9c11b2fad1507d2d3cf08630c0920a9bd15c8ccbd958550f254&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=5101141&response-content-disposition=attachment%3B%20filename%3Djq-1.6.tar.gz&response-content-type=application%2Foctet-stream
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
Failed to connect (101)
Failed to connect (101)
Failed to connect (101)
Failed to connect (101)
Failed to connect: Connect errorHere is debug level 2 from stock wget2 (build with openssl)
Code:[0] Downloading 'http://2' ...
09.174926.882 cookie_create_request_header for host=2 path=(null)
09.174926.882 has 20.205.243.166:443
09.174926.882 trying 20.205.243.166:443...
09.174926.883 OpenSSL initialized
09.174926.883 Sending 'status_request' extension in handshake
09.174926.883 ALPN offering h2
09.174926.883 ALPN offering http/1.1
09.174926.883 No cached TLS session available. Will run a full handshake.
09.174927.171 No HPKP pinning found for host 'github.com'
09.174927.171 OCSP URI not given and not found in certificate. Skipping OCSP check for cert 0.
09.174927.171 OCSP URI not given and not found in certificate. Skipping OCSP check for cert 1.
09.174927.171 No HPKP pinning found for host 'github.com'
09.174927.171 No HPKP pinning found for host 'github.com'
09.174927.171 No stapled OCSP response was received. Continuing.
09.174927.172 Handshake completed (full handshake - not resumed)
09.174927.172 TLS session discarded
09.174927.172 ALPN: Server accepted protocol 'h2'
09.174927.172 established connection github.comRebuilding wget2 using gnutls instead of openssl (--with-ssl=gnutls --with-openssl=off) causes wget2 to still perform OCSP verification even though the server certificate does not contain an OCSP URI. In my case wget2 was using the digicert ocsp server. Connect/download completed without error.
Code:[0] Downloading 'http://2' ...
09.175126.553 cookie_create_request_header for host=2 path=(null)
09.175126.554 has 20.205.243.166:443
09.175126.554 trying 20.205.243.166:443...
09.175126.554 GnuTLS init
09.175126.566 GnuTLS system certificate store is empty
09.175126.566 Certificates loaded: 142
09.175126.566 GnuTLS init done
09.175126.566 TLS False Start requested
09.175126.566 ALPN offering h2
09.175126.566 ALPN offering http/1.1
09.175126.846 host has no pubkey pinnings stored in hpkp db
09.175126.846 host has no pubkey pinnings stored in hpkp db
09.175126.846 host has no pubkey pinnings stored in hpkp db
09.175126.846 host has no pubkey pinnings stored in hpkp db
09.175126.846 resolving ocsp.digicert.com:80...
09.175126.846 has 117.18.237.29:80
09.175126.846 trying 117.18.237.29:80...
09.175126.865 # sent 291 bytes:
POST / HTTP/1.1
Host: ocsp.digicert.com
Accept-Encoding: identity
Accept: */*
Connection: close
Content-Type: application/ocsp-request
Content-Length: 127