Clients fails to load https webpage when OCSP stapling is enabled

[djphoenix]

I was enabled OCSPRequest event listener on my server, and wrote handler for OCSP. But many clients like Safari, curl, and openssl s_client now fails to connect. In chrome, for example, it works correctly.
Example server that have OCSP stapling enabled: https://phoenix.dj/ (node 0.11.14)

[indutny]

Hello!

May I ask you to post a test case that I could try?

Thank you!

[djphoenix]

Okay, a test case:

1. Install node v0.11.14
2. Extract this archive: http://rghost.ru/58841542
3. Get SSL certificate that has OCSP url included, and place files ssl.cer, ssl.key and ca.cer into same folder that scripts
4. (Optionally, you can remove config line instead) Generate ssl.dh file by using 'openssl dhparam'
5. Run server.js
6. Open webpage from your SSL-enabled server with Chrome (maybe other modern browser), note it works.
7. Open same URL on Safari in MacOS or iPhone, or try to get it with CURL - it will timeout.

[indutny]

@djphoenix the link you gave here does not work, I get 403 on it.

Could you please post the source in a gist? I suppose it should be just a single javascript file without dependencies anyway.

[djphoenix]

OK, gist URL: https://gist.github.com/djphoenix/198104dc85452ca1f76b

[indutny]

What's on method here: https://gist.github.com/djphoenix/198104dc85452ca1f76b#file-server-js-L38 ?

[indutny]

Oh, I see you have a with there :) Anyway it doesn't seem to be working:

/private/tmp/198104dc85452ca1f76b/server.js:36
    on('OCSPRequest',ocsp);
    ^
ReferenceError: on is not defined
    at Object.<anonymous> (/private/tmp/198104dc85452ca1f76b/server.js:36:2)
    at Module._compile (module.js:460:26)
    at Object.Module._extensions..js (module.js:478:10)
    at Module.load (module.js:355:32)
    at Function.Module._load (module.js:310:12)
    at Function.Module.runMain (module.js:501:10)
    at startup (node.js:132:16)
    at node.js:850:3

[indutny]

Anyway, I have reproduced it, thank you!

[djphoenix]

Which version of Node you're using? This code perfectly works on 0.11.14

[indutny]

Tried on both v0.10 and latest v0.11.

[indutny]

Anyway, it doesn't matter much.

[indutny]

Could you please give a try to following patch:

diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 4ec9280..703f125 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -200,7 +200,10 @@ function onnewsession(key, session) {
   var once = false;

   this._newSessionPending = true;
-  this.server.emit('newSession', key, session, function() {
+  if (!this.server.emit('newSession', key, session, done))
+    done();
+
+  function done() {
     if (once)
       return;
     once = true;
@@ -211,7 +214,7 @@ function onnewsession(key, session) {
     if (self._securePending)
       self._finishInit();
     self._securePending = false;
-  });
+  }
 }

Hope it will fix the problem for you!

[djphoenix]

I've applied your patch, but nothing changed. In Safari and cURL connection still freezing.

[djphoenix]

...Okay, I found working workaround for my problem - implement both OCSPRequest events and newSession/resumeSession.

[bjb568]

This is my "working workaround" :)

server.listen(443);
var ocspCache = new ocsp.Cache(); // ocsp = require('ocsp')
server.on('OCSPRequest', function(cert, issuer, callback) {
    ocsp.getOCSPURI(cert, function(err, uri) {
        if (err) return callback(error);
        var req = ocsp.request.generate(cert, issuer);
        var options = {
            url: uri,
            ocsp: req.data
        };
        ocspCache.request(req.id, options, callback);
    });
});
var sslSessionCache = {};
server.on('newSession', function(sessionId, sessionData, callback) {
    sslSessionCache[sessionId] = sessionData;
    callback();
});
server.on('resumeSession', function (sessionId, callback) {
    callback(null, sslSessionCache[sessionId]);
})