Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not support nonce in ocsp response #29364

Open
oulinbao opened this issue Jan 16, 2025 · 1 comment
Open

Do not support nonce in ocsp response #29364

oulinbao opened this issue Jan 16, 2025 · 1 comment
Labels
reproduced This issue has been reproduced by a Vault engineer secret/pki

Comments

@oulinbao
Copy link

Is your feature request related to a problem? Please describe.
I have a FortiWeb and when I used it to connect with Vault with ocsp nonce, it failed.

Describe the solution you'd like
Because FortiWeb must use nonce in ocsp request, so if vault can response with nonce, it will be ok.

Describe alternatives you've considered
None

Explain any additional use-cases
None

Additional context

Image
@stevendpclark stevendpclark added secret/pki reproduced This issue has been reproduced by a Vault engineer labels Jan 23, 2025
@stevendpclark
Copy link
Contributor

Thanks @oulinbao for filing the issue, this is a known limitation of the PKI OCSP implementation documented here: https://developer.hashicorp.com/vault/api-docs/secret/pki#ocsp-request

None of the extensions defined in the RFC are supported for requests or responses

I'll keep the issue open for better visibility and if we decide to add support for nonces in OCSP requests. At the moment the Go library that we use doesn't support this feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
reproduced This issue has been reproduced by a Vault engineer secret/pki
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stevendpclark @oulinbao