The 'OCSPRequest' callback does not send the OCSP response with TLS 1.3

[drash-course]

• Version: v12.4.0
• Platform: Ubuntu 18.04 x86_64 (kernel 4.15.18)
• Subsystem: TLS

We are using node 12 to run a HTTPS server for a simple website. I noticed a problem with the OCSPRequest event of the TLS server. For connections with TLS 1.2 or below, the callback (3rd argument) sends send response as expected (OCSPRequest docs). I checked with OpenSSL:

echo QUIT | openssl s_client -connect naos.fleetback.com:443 -servername naos.fleetback.com -status -tls1_2

CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = naos.fleetback.com
verify return:1
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Jun 19 09:31:00 2019 GMT
[...]

But with TLS 1.3 connections, no status is sent back:

echo QUIT | openssl s_client -connect naos.fleetback.com:443 -servername naos.fleetback.com -status -tls1_3

CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = naos.fleetback.com
verify return:1
OCSP response: no response sent
---

We use the "ocsp" package from NPM to handle OCSP caching. I debugged around this code and it always sends the expected <Buffer 30 82 02 0b 0a ...> in the callback.

const ocsp = require('ocsp');
const ocspCache = new ocsp.Cache();

function withOcspRequestCache(tlsServer) {
  tlsServer.on('OCSPRequest', function(cert, issuer, cb) {
    ocsp.getOCSPURI(cert, function(err, url) {
      if (err) return cb(err);
      if (url === null) return cb(null, null);
      const req = ocsp.request.generate(cert, issuer);
      ocspCache.probe(req.id, function(err, cached) {
        if (err) return cb(err);
        if (cached !== false) return cb(null, cached.response);
        ocspCache.request(req.id, { url, ocsp: req.data }, cb);
      });
    });
  });
}

Our server is a HTTP/2 server in compatibility mode. You can check the code below.

const fs = require('fs');
const http2 = require('http2');

const cert = fs.readFileSync(...);
const key = fs.readFileSync(...);
const dhparam = fs.readFileSync('./dhparam.pem');
const options = { cert, key, dhparam, ciphers, honorCipherOrder: false, allowHTTP1: true };
const server = http2.createSecureServer(options);
withOcspRequestCache(server);
server.listen(443, () => console.log('HTTPS server running on port 443'));

It looks like a bug in Node 12. Did you get the OCSPRequest event to work with TLS 1.3?

Thanks for your help.

[sam-github]

I got the tests to pass, but didn't do any manual testing. See test/parallel/test-tls-ocsp-callback.js (looks to be the only test).

If you produce a runnable reproduction, I might be able to find time to look at this. If you could isolate whether it can be reproed with raw tls (no http2) that would be helpful. Ideally you could PR a failing test, that would make it much easier to debug.

[drash-course]

It looks like a E2E test is the only way to reproduce this issue. I will make a test file shortly.

[drash-course]

I found the source of the problem. When you set a custom ecdhCurve in the tls.createSecureContext options when creating a TLS server, it breaks the OCSP event with TLS 1.3.

@sam-github I have a minimal test that shows the problem: github repo. It only uses the tls module. You can clone it and run npm test.

[kevin-renier]

We have the same problem. We use node to serve our website and want OCSP. Node 12 causes errors with Firefox: our certificate has “must_staple” and firefox drops the connection if the certificate status is not provided. This happens only with TLS 1.3.

[sam-github]

I can see that with 1.2, OCSP response data is present, but with 1.3, it is not: https://github.com/sam-github/node-ocsp-bug-repro/blob/master/ok.txt vs https://github.com/sam-github/node-ocsp-bug-repro/blob/master/notok.txt

Not sure why. I do the server side callback occuring in both cases.

[sam-github]

I asked openssl: https://mta.openssl.org/pipermail/openssl-users/2019-June/010774.html

[sam-github]

@kevin-renier Are you also using the ecdhCurve option on the server?

[kevin-renier]

@kevin-renier Are you also using the ecdhCurve option on the server?

Yes, we are.

[drash-course]

@sam-github Any news? I can help debug this if you have some pointers.

[sam-github]

No response from OpenSSL, you could join the mailing list and bump the thread.

I haven't had time to look more. I don't have any ideas, really. If you could figure out a way to get the s_server openssl sample to set the ephemeral ecdh curve, maybe you could repro with pure openssl, then they would pay more attention. I list the API we call to set the curve in the email linked above, worst case, you'd have to hack that call into s_server. Also, note that --trace-tls CLI option for node, and --trace for s_server, they are very useful.