Check OCSP on Linux with GET method

StanTastic

1/28/23, 10:47 AM

I want to verify operation of Microsoft OCSP server from Linux. I tried using OpenSSL, but it always returns:

Error querying OCSP responder 140643157128320:error:27076072:OCSP routines:parse_http_line1:server response error:../crypto/ocsp/ocsp_ht.c:260:Code=405,Reason=Method Not Allowed

I checked on the server side and noticed that OpenSSL uses POST method, as opposed to GET method used by certutil (which works fine):

# certutil Request
2021-09-28 10:26:51 10.11.12.13 GET /ocsp/<OCSP request> - 80 - 10.11.12.14 Microsoft-CryptoAPI/10.0 - 200 0 0 4583
# OpenSSL Request
2021-09-28 10:26:51 10.11.12.13 POST / - 80 - 10.11.12.15 - - 405 0 1 5991

Seems that OpenSSL can't be forced to use GET instead of post, but perhaps there's some other utility?

Or conversely, is there a method to force MS OCSP responder to work with POST as well?

208

0 + 0

openssl

ocsp

Score:2

Server

garethTheRed

2/1/23, 12:57 PM

You need to add the -no_nonce option to OpenSSL.

Microsoft OCSP server doesn't support nonce in the requests.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Check OCSP on Linux with GET method

TH: ตรวจสอบ OCSP บน Linux ด้วยวิธี GET

RO: Verificați OCSP pe Linux cu metoda GET

RU: Проверьте OCSP в Linux с помощью метода GET

VI: Kiểm tra OCSP trên Linux bằng phương thức GET

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.