[release/8.0-staging] Remove the OCSP nonce #103446
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones |
bartonjs
approved these changes
Jun 14, 2024
bartonjs
added
Servicing-consider
|
Approved over email |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #103344 to release/8.0-staging
/cc @bartonjs @vcsjones
Customer Impact
When OCSP support was added for Linux (.NET Core 3.1) we created the requests using the IETF RFC 8954 nonces extension. Most public OCSP responders ignore the nonce extension, but a customer has reported that one of their customers/tenants/workloads interacts with an OCSP responder that fails when a nonce extension is present in the request.
When trying to understand why they didn't have a problem on Windows, we learned that Windows does not issue OCSP requests with nonces. Nor does macOS. It also turns out that our OCSP Stapling work was pretty much relying on the OCSP responder ignoring the nonce from the request.
Regression
Linux offerings of .NET Core / .NET have always had this behavior, but it differs from Windows and macOS.
Testing
The OCSP responder used for local revocation tests confirms that we're no longer sending nonces in requests. The test suite itself confirms that the OCSP feature still works in general.
Risk
Low. Focused change in an area with very high test coverage.