Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
ECDSA + Must-Staple = Internal server error #1706
When requesting an ECDSA public key CSR with the Must-Staple feature extension enabled, Boulder response with an internal server error:
When I generate the same CSR (simple bash script), but with
Also, generating an ECDSA certificate without the Must-Staple feature works like a charm too.
Could it be this line generating the error? https://github.com/letsencrypt/boulder/blob/master/ra/registration-authority.go#L590
Unfortunately, internal server errors aren't very helpful for debugging from the client sides perspective..
Excellent bug-finding, thanks! If you run against a local Boulder, you get this in the logs:
This is because we only added the must staple extension to allowed_extensions for the rsa profile in boulder-config.json, not the ecdsa one. Will fix before sending to prod.
Credits go to tlussnig for mentioning the bug first..
One question though: is internal server error the right error message when the Must-Staple extension isn't allowed at all? Or should this also get some more meaningful error message? Or perhaps some configuration part was missing at all in the ECDSA profile, leading to this error. I.e., when properly configured not to enable must-staple, would it generate a meaningful error message at this time?
referenced this issue
Apr 7, 2016
If i understand the extension correctly it is not called "must-stable". The extension have an list of integers that tell the client these are the list that the server have to support. So it would be no problem instead of only tell the client that 5:=ocsp-staple is supported. but also include
In this CSR i added ALPN and SCT as constraint that the server have to support but is is not accepted. But this time with some better error than the error with ECDSA.
I am fully aware that in the introduction only OCSP is mentioned
While in theory that's true, even browsers are currently only supporting Must-Staple: https://hg.mozilla.org/mozilla-central/rev/801655542a12 (euh, I mean, Firefox, because other browsers aren't implementing TLS Feature Extension at all as far as I know...)