Closed mcpherrinm closed 2 years ago
https://github.com/square/certigo/blob/master/lib/ocsp.go#L179-L182
This shouldn't be conditional.
An OCSP request using the GET method is constructed as follows: GET {url}/{url-encoding of base-64 encoding of the DER encoding of the OCSPRequest} from https://datatracker.ietf.org/doc/html/rfc6960#appendix-A.1
An OCSP request using the GET method is constructed as follows:
GET {url}/{url-encoding of base-64 encoding of the DER encoding of the OCSPRequest}
from https://datatracker.ietf.org/doc/html/rfc6960#appendix-A.1
Note that it unconditionally concatenates the url, a slash, and then the encoded OCSPRequest
I'd probably just put server + "/" + base64() here: https://github.com/square/certigo/blob/master/lib/ocsp.go#L183
server + "/" + base64()
Incorrectly making this assumption that there would be no double-slash led to the following incident: https://community.letsencrypt.org/t/may-19-2017-ocsp-and-issuance-outage-postmortem/34922
https://github.com/square/certigo/blob/master/lib/ocsp.go#L179-L182
This shouldn't be conditional.
Note that it unconditionally concatenates the url, a slash, and then the encoded OCSPRequest
I'd probably just put
server + "/" + base64()
here: https://github.com/square/certigo/blob/master/lib/ocsp.go#L183Incorrectly making this assumption that there would be no double-slash led to the following incident: https://community.letsencrypt.org/t/may-19-2017-ocsp-and-issuance-outage-postmortem/34922