Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL OCSP responder failing when request comes from MS Remote Desktop Service (Remoteapp) #7383

Closed
adriano-pinaffo opened this issue Oct 10, 2018 · 1 comment
Closed

OpenSSL OCSP responder failing when request comes from MS Remote Desktop Service (Remoteapp) #7383

adriano-pinaffo opened this issue Oct 10, 2018 · 1 comment

Comments

@adriano-pinaffo
Copy link

Here is my scenario:

I have a root and intermediate CA in CentOS, with OpenSSL 1.0.2k-fips. I also set up a OCSP responder in the intermediate CA, to respond the status of issued certificates. I also have a Windows 2012 R2 server with Remote Desktop Services enabled. I issued a certificate for it using my OpenSSL intermediate CA.

When I use OpenSSL tools to check the status of the certificate, it returns with Response verify OK, certificate good.

$ openssl ocsp -CAfile chain.mydomain.crt.pem -url http://myfqdn-ocsp-responder:8888 -resp_no_certs -issuer int.mydomain.crt.pem -cert server.mydomain.crt.pem
Response verify OK
server.mydomain.crt.pem: good
        This Update: Oct 10 16:44:50 2018 GMT

When I use the RDP connection (either the RDP file itself or the RemoteApp webaccess, I get A revocation check could not be performed for the certificate error, although it lets me go through and continue. The Certificate has the OCSP information correctly, though.
01
But that´s really annoying for the users and I wanted to get rid of this error. In the OCSP responder server I get a couple of Invalid request errors and the log.tx has Responder Error: malformedrequest (1) message.

The OCSP responder was started with:
# openssl ocsp -index ../index.txt -port 8888 -rsigner certs/ocspserver.mydomain.crt.pem -rkey private/ocspserver.mydomain.key.pem -CA ../certs/int.mydomain.crt.pem -text -ignore_err -out log.txt&

On the OCSP responder I captured the traffic, and to my surprise it seems OpenSSL and MS RDP check the certificate status in very different ways:

For OpenSSL checking:
OCSP Request is sent, it has inside the hashAlgorithm, issuerNameHash, issuerKeyHash and serialNumber.
It receives back a OCSP Response with responseStatus: successful (0)
Wireshark capture image: request
02

Wireshark capture image: response
05

For MS RDP checking:
After the regular 3way handshake, the server sends an HTTP GET where the User-Agent is Microsoft-CryptoAPI/6.3 and the Full request URI is http://ocspserver.mydomain:8888/<a bunch of apparently random characters>
To that the OCSP responds with an OCSP Response packet with responseStatus: malformedRequest (1)
Following that event the server establishes a new 3way handshake, and now sends a OCSP Request, very similar to the one sent by OpenSSL. The OCSP responder responds with a OCSP Response with responseStatus: successful (0). That back and fourth is done 3 times.
Wireshark capture back and fourth image
03

Wireshark 1st request: server -> OCSP responder (HTTP GET)
04

Wireshark 1st response: OCSP responder -> server (OCSP)
08

Wireshark 2nd request: server -> OCSP responder (OCSP)
06

Wireshark 2nd response: OCSP responder -> server (OCSP)
07

Apparently the second request by MS RDP, which gets a successful response, is ignored.
Does anyone know why this is happening?

Thank you,
@t8m
Copy link
Member

t8m commented Jul 19, 2021

1.0.2 version is unsupported. Please open a new issue if you can reproduce the problem with 1.1.1 or 3.0 versions.

@t8m t8m closed this as completed Jul 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t8m @adriano-pinaffo