I was trying to integrate a probe for https://www.mapper.ntppool.org/ into one of my web pages, but found that it is not working at least with Firefox default settings. The issue seems to relate to OCSP stapling:
The certificate on www.mapper.ntppools requires the browser to ensure a stapled OCSP response is present in the TLS handshake. However, it seems the server is not including such a stapled OCSP response, thus Firefox refuses to load the resource behind the URL.
@PoolMUC welcome to the community!
Correct observation, the server should send the OCSP status response, or the certificate should not contain the “OCSP must staple” option.
https://www.ssllabs.com/ssltest/analyze.html?d=www.mapper.ntppool.org
I see the same on ssllabs.com, but I can’t figure out where in the certificate it’s set.
I don’t see in openssl s_client -connect www.mapper.ntppool.org:443 | openssl x509 -noout -text where OCSP must-staple comes from? (I also had trouble finding other examples on the internet with that attribute to compare …)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mapper.ntppool.org
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:9d:b4:09:e5:bb:bc:4c:87:13:8f:42:cf:c9:2e:32:8e:4f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Jun 13 23:49:46 2023 GMT
Not After : Sep 11 23:49:45 2023 GMT
Subject: CN = mapper.ntppool.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f8:06:f3:ad:ce:d9:24:a5:30:c9:85:2d:db:19:
68:24:d7:0b:b2:77:8a:cc:d2:a0:49:95:9e:9a:cc:
b5:a5:d8:2f:10:e8:e7:d6:18:d6:68:2c:9d:90:df:
e0:06:fb:56:f8:6c:ec:75:18:50:23:37:3e:11:c0:
c0:df:d8:6e:43:fb:dc:54:4c:a4:42:79:ed:44:f6:
dd:f0:82:d5:82:18:41:04:ae:d3:9a:ee:6c:5a:e8:
06:79:cf:27:43:eb:6d:52:e4:22:fe:e7:d7:b0:bc:
82:1f:12:f8:37:d0:26:c9:c3:ce:31:73:6a:8e:3b:
b2:0f:24:7e:b8:7b:2e:c8:3c:02:6e:73:f3:e7:1a:
6b:b5:2b:5b:c6:14:0c:1b:f0:d5:c7:f8:db:30:08:
4f:12:b3:95:f6:c9:cf:a2:7d:45:56:2b:f3:73:82:
27:40:c3:75:e1:52:8b:69:2c:2b:6c:db:8d:a3:d7:
82:87:61:cf:aa:36:4f:43:05:6d:f5:ce:ea:a8:09:
0c:a9:47:cc:d7:b8:b4:fd:a8:78:cb:d5:77:de:e0:
e1:17:db:d8:d0:d4:13:32:54:15:6f:18:3f:70:97:
cd:f8:5b:45:6d:4e:12:65:f5:25:cf:08:3d:e3:61:
e1:8f:9a:3f:66:77:72:e7:93:64:73:a3:1e:31:b8:
47:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
13:18:BF:8D:2E:B4:01:FC:90:F8:7D:AE:F3:C2:FF:6E:EA:07:DC:D7
X509v3 Authority Key Identifier:
14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:*.mapper.ntppool.org, DNS:mapper.ntppool.org
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
Timestamp : Jun 14 00:49:46.112 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:DA:2B:04:3A:5A:72:9C:C6:C4:C8:E4:
8A:E1:71:E1:10:30:DD:0D:74:6C:4A:0D:76:3B:FA:BE:
DA:EA:E8:0C:E5:02:21:00:95:12:4A:4B:F2:18:82:86:
63:BE:97:C7:B0:40:67:E0:9A:1F:F5:EF:82:64:96:1B:
89:A3:B4:0A:BC:94:44:D8
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
Timestamp : Jun 14 00:49:46.135 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:BF:74:68:D9:64:DD:10:F9:34:FF:03:
DC:37:69:A6:D8:DF:BD:59:4A:9E:80:52:73:78:5D:F2:
F2:0C:A6:5D:07:02:21:00:84:81:63:2C:C1:85:00:0B:
DD:DC:FE:F6:D4:E6:80:15:7A:B7:CA:0C:E6:CC:23:FF:
DC:5C:B6:1A:FA:8E:FD:5B
TLS Feature:
status_request
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
40:e7:8f:aa:7c:1a:e0:f9:c2:d8:4d:c6:9b:8c:23:05:a7:47:
a0:74:73:cf:9f:da:24:1e:80:e5:26:b6:ac:ad:07:ef:57:16:
f6:9c:7a:24:ba:d7:32:dc:9a:3d:db:45:7e:b7:e4:a0:bb:d8:
62:e1:e3:99:2f:0b:92:30:9c:45:0d:a3:7e:53:e0:81:2b:e0:
e8:66:1a:0a:19:98:2f:cc:95:8f:b8:eb:7c:e5:11:02:9f:f8:
4f:e5:95:35:56:50:e7:6c:64:9e:28:0e:c7:42:ff:77:90:40:
21:76:fc:bf:d0:24:a9:ab:62:9d:20:5b:31:3c:e4:10:96:34:
19:ee:6f:b8:79:f7:3d:d2:73:da:35:b8:8c:7d:a8:f3:65:06:
56:d3:e4:aa:ef:00:2a:e4:06:c6:bc:0f:71:43:be:42:c1:3a:
36:e7:b7:4f:c2:6c:b0:c3:23:13:4c:68:2f:7e:78:7f:e2:63:
7c:41:37:ea:04:46:5b:89:3a:9c:b4:82:51:25:44:ed:d7:42:
a0:5a:03:94:41:e9:c8:fd:21:68:34:94:ec:ff:9e:21:e8:f6:
c2:9f:70:8f:5e:2b:2d:e2:cd:35:27:8b:fd:d9:30:c8:4e:c8:
2e:0b:72:73:1a:a5:7a:c6:bb:4f:99:a8:4a:05:11:6d:33:4d:
7a:dc:1e:33
It is:
TLS Feature:
status_request