search

opnsense / plugins

OPNsense plugin collection
https://opnsense.org/
BSD 2-Clause "Simplified" License
844 stars 638 forks source link

security/acme-client: OCSP stapling is ALWAYS enabled? #794

Closed fraenki closed 6 years ago

fraenki commented 6 years ago

split from #753:

Is it possible that the plugin currently behaves as if OCSP stapling is ALWAYS enabled?

I have the checkbox definitely NOT set but the cert retrieved DOES contain the 1.3.6.1.5.5.7.1.24 TLS extension, causing my Firefox to reject connection with MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING because OPNSense's lighttpd doesn't support OCSP stapling.

pief commented 6 years ago

Incredibly fast! Thank you very, very much!

fraenki commented 6 years ago

@pief I forgot to ask to you try the fix. You may do so by running the following command on the CLI:

# opnsense-patch -c plugins b817a41

DonSYS91 commented 6 years ago

That's sad @fraenki after I found the bug now to come back here to see that it's already fixed, that was fast yeah. xD

pief commented 6 years ago

Yes, the fix seems to work for me, thank you!

afontenot commented 5 years ago

I'm having this problem on an up to date OPNSense installation. I don't have the OCSP checkbox checked, but after the most recent cert renewal (Sep 17), I get the MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING error in Firefox with security.ssl.enable_ocsp_must_staple set to true.

Anyone else have this problem show up for them again, or should I file a new bug?

Works fine in Brave with none of the security features changed.

fraenki commented 5 years ago

@afontenot Please don't comment on ancient issues. The OP's problem was solved, so you're most likely facing a different problem. Please open a new issue instead and provide more details about your OPNsense Let's Encrypt certificate and plugin configuration. Logs would also be useful.