OCSP stapling issue on https://www.mapper.ntppool.org/

I was trying to integrate a probe for https://www.mapper.ntppool.org/ into one of my web pages, but found that it is not working at least with Firefox default settings. The issue seems to relate to OCSP stapling:

The certificate on www.mapper.ntppools requires the browser to ensure a stapled OCSP response is present in the TLS handshake. However, it seems the server is not including such a stapled OCSP response, thus Firefox refuses to load the resource behind the URL.

2 Likes

@PoolMUC welcome to the community!
Correct observation, the server should send the OCSP status response, or the certificate should not contain the “OCSP must staple” option.
https://www.ssllabs.com/ssltest/analyze.html?d=www.mapper.ntppool.org

I see the same on ssllabs.com, but I can’t figure out where in the certificate it’s set.

I don’t see in openssl s_client -connect www.mapper.ntppool.org:443 | openssl x509 -noout -text where OCSP must-staple comes from? (I also had trouble finding other examples on the internet with that attribute to compare …)

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mapper.ntppool.org
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:9d:b4:09:e5:bb:bc:4c:87:13:8f:42:cf:c9:2e:32:8e:4f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Jun 13 23:49:46 2023 GMT
            Not After : Sep 11 23:49:45 2023 GMT
        Subject: CN = mapper.ntppool.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f8:06:f3:ad:ce:d9:24:a5:30:c9:85:2d:db:19:
                    68:24:d7:0b:b2:77:8a:cc:d2:a0:49:95:9e:9a:cc:
                    b5:a5:d8:2f:10:e8:e7:d6:18:d6:68:2c:9d:90:df:
                    e0:06:fb:56:f8:6c:ec:75:18:50:23:37:3e:11:c0:
                    c0:df:d8:6e:43:fb:dc:54:4c:a4:42:79:ed:44:f6:
                    dd:f0:82:d5:82:18:41:04:ae:d3:9a:ee:6c:5a:e8:
                    06:79:cf:27:43:eb:6d:52:e4:22:fe:e7:d7:b0:bc:
                    82:1f:12:f8:37:d0:26:c9:c3:ce:31:73:6a:8e:3b:
                    b2:0f:24:7e:b8:7b:2e:c8:3c:02:6e:73:f3:e7:1a:
                    6b:b5:2b:5b:c6:14:0c:1b:f0:d5:c7:f8:db:30:08:
                    4f:12:b3:95:f6:c9:cf:a2:7d:45:56:2b:f3:73:82:
                    27:40:c3:75:e1:52:8b:69:2c:2b:6c:db:8d:a3:d7:
                    82:87:61:cf:aa:36:4f:43:05:6d:f5:ce:ea:a8:09:
                    0c:a9:47:cc:d7:b8:b4:fd:a8:78:cb:d5:77:de:e0:
                    e1:17:db:d8:d0:d4:13:32:54:15:6f:18:3f:70:97:
                    cd:f8:5b:45:6d:4e:12:65:f5:25:cf:08:3d:e3:61:
                    e1:8f:9a:3f:66:77:72:e7:93:64:73:a3:1e:31:b8:
                    47:f3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                13:18:BF:8D:2E:B4:01:FC:90:F8:7D:AE:F3:C2:FF:6E:EA:07:DC:D7
            X509v3 Authority Key Identifier:
                14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name:
                DNS:*.mapper.ntppool.org, DNS:mapper.ntppool.org
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
                                5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
                    Timestamp : Jun 14 00:49:46.112 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:DA:2B:04:3A:5A:72:9C:C6:C4:C8:E4:
                                8A:E1:71:E1:10:30:DD:0D:74:6C:4A:0D:76:3B:FA:BE:
                                DA:EA:E8:0C:E5:02:21:00:95:12:4A:4B:F2:18:82:86:
                                63:BE:97:C7:B0:40:67:E0:9A:1F:F5:EF:82:64:96:1B:
                                89:A3:B4:0A:BC:94:44:D8
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
                                16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
                    Timestamp : Jun 14 00:49:46.135 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:BF:74:68:D9:64:DD:10:F9:34:FF:03:
                                DC:37:69:A6:D8:DF:BD:59:4A:9E:80:52:73:78:5D:F2:
                                F2:0C:A6:5D:07:02:21:00:84:81:63:2C:C1:85:00:0B:
                                DD:DC:FE:F6:D4:E6:80:15:7A:B7:CA:0C:E6:CC:23:FF:
                                DC:5C:B6:1A:FA:8E:FD:5B
            TLS Feature:
                status_request
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        40:e7:8f:aa:7c:1a:e0:f9:c2:d8:4d:c6:9b:8c:23:05:a7:47:
        a0:74:73:cf:9f:da:24:1e:80:e5:26:b6:ac:ad:07:ef:57:16:
        f6:9c:7a:24:ba:d7:32:dc:9a:3d:db:45:7e:b7:e4:a0:bb:d8:
        62:e1:e3:99:2f:0b:92:30:9c:45:0d:a3:7e:53:e0:81:2b:e0:
        e8:66:1a:0a:19:98:2f:cc:95:8f:b8:eb:7c:e5:11:02:9f:f8:
        4f:e5:95:35:56:50:e7:6c:64:9e:28:0e:c7:42:ff:77:90:40:
        21:76:fc:bf:d0:24:a9:ab:62:9d:20:5b:31:3c:e4:10:96:34:
        19:ee:6f:b8:79:f7:3d:d2:73:da:35:b8:8c:7d:a8:f3:65:06:
        56:d3:e4:aa:ef:00:2a:e4:06:c6:bc:0f:71:43:be:42:c1:3a:
        36:e7:b7:4f:c2:6c:b0:c3:23:13:4c:68:2f:7e:78:7f:e2:63:
        7c:41:37:ea:04:46:5b:89:3a:9c:b4:82:51:25:44:ed:d7:42:
        a0:5a:03:94:41:e9:c8:fd:21:68:34:94:ec:ff:9e:21:e8:f6:
        c2:9f:70:8f:5e:2b:2d:e2:cd:35:27:8b:fd:d9:30:c8:4e:c8:
        2e:0b:72:73:1a:a5:7a:c6:bb:4f:99:a8:4a:05:11:6d:33:4d:
        7a:dc:1e:33

It is:

 TLS Feature:
                status_request
1 Like

Ah, how obscure! Thank you (and to @PoolMUC), it’ll be fixed shortly.

1 Like

Thanks @ask for addressing this, looking good now.
Thanks @NTPman for the welcome and support on this matter.

2 Likes