Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKI: Do not set NextUpdate OCSP field when ocsp_expiry is 0 #24192

Merged
merged 2 commits into from
Nov 20, 2023
Merged

PKI: Do not set NextUpdate OCSP field when ocsp_expiry is 0 #24192

merged 2 commits into from
Nov 20, 2023

Conversation

stevendpclark
Copy link
Contributor

When the ocsp_expiry field within config/crl is set to 0, we should not be setting the NextUpdate field within OCSP responses. We were setting it to the current time, which effectively means that the response has expired and shouldn't be used.

Based on RFC 6960: 4.2.2.1. Time, we shouldn't have set this field to indicate newer information is available right away

If nextUpdate is not set, the responder is indicating that newer revocation information is available all the time.

@stevendpclark stevendpclark added bug Used to indicate a potential bug secret/pki backport/1.13.x labels Nov 20, 2023
@stevendpclark stevendpclark added this to the 1.13.11 milestone Nov 20, 2023
@stevendpclark stevendpclark self-assigned this Nov 20, 2023
@stevendpclark stevendpclark requested a review from a team as a code owner November 20, 2023 13:30
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Nov 20, 2023
@github-actions GitHub Actions
Copy link

Build Results:
All builds succeeded! ✅

@github-actions GitHub Actions
Copy link

CI Results:
All Go tests succeeded! ✅

victorr
victorr approved these changes Nov 20, 2023
View reviewed changes
Copy link
Contributor

@victorr victorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@stevendpclark stevendpclark merged commit 5304069 into main Nov 20, 2023
110 checks passed
@stevendpclark stevendpclark deleted the stevendpclark/vault-22097-ocsp-nextupdate branch November 20, 2023 15:32
This was referenced Nov 20, 2023
Merged
Merged
Merged
stevendpclark added a commit that referenced this pull request Nov 20, 2023
@stevendpclark
PKI: Do not set NextUpdate OCSP field when ocsp_expiry is 0 (#24192)
a2d2483 
* Do not set NextUpdate OCSP field when ocsp_expiry is 0

* Add cl
cognifloyd pushed a commit to cognifloyd/vault that referenced this pull request Dec 16, 2023
@hc-github-team-secure-vault-core @stevendpclark
PKI: Do not set NextUpdate OCSP field when ocsp_expiry is 0 (hashicor…
c029f6f 
…p#24192) (hashicorp#24194)

* Do not set NextUpdate OCSP field when ocsp_expiry is 0

* Add cl

Co-authored-by: Steven Clark <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorr victorr victorr approved these changes

Assignees

@stevendpclark stevendpclark

Labels
bug Used to indicate a potential bug hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed secret/pki
Projects
None yet
Milestone
1.13.11
Development

Successfully merging this pull request may close these issues.
2 participants
@stevendpclark @victorr