From 707b27418f0bcb0e8c30eebc0478d411d55bc921 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 5 Jan 2017 12:06:51 -0800 Subject: [PATCH] Explicitly handle "unknown" responses from openssl --- certbot/ocsp.py | 4 +++- certbot/tests/ocsp_test.py | 11 +++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/certbot/ocsp.py b/certbot/ocsp.py index fd99ffe54..b18bb92d9 100644 --- a/certbot/ocsp.py +++ b/certbot/ocsp.py @@ -98,11 +98,13 @@ def _translate_ocsp_query(cert_path, ocsp_output, ocsp_errors): pattern = r"{0}: (WARNING.*)?good".format(cert_path) rpattern = r"{0}: (WARNING.*)?revoked".format(cert_path) + upattern = r"{0}: (WARNING.*)?unknown".format(cert_path) good = re.search(pattern, ocsp_output, flags=re.DOTALL) revoked = re.search(rpattern, ocsp_output, flags=re.DOTALL) + unknown = re.search(upattern, ocsp_output, flags=re.DOTALL) warning = good.group(1) if good else None - if (not "Response verify OK" in ocsp_errors) or (good and warning): + if (not "Response verify OK" in ocsp_errors) or (good and warning) or unknown: logger.info("Revocation status for %s is unknown", cert_path) logger.debug("Uncertain output:\n%s\nstderr:\n%s", ocsp_output, ocsp_errors) return False diff --git a/certbot/tests/ocsp_test.py b/certbot/tests/ocsp_test.py index 6770f04d9..549e83ca8 100644 --- a/certbot/tests/ocsp_test.py +++ b/certbot/tests/ocsp_test.py @@ -98,6 +98,10 @@ class OCSPTest(unittest.TestCase): self.assertEqual(ocsp._translate_ocsp_query(*openssl_confused), False) self.assertEqual(mock_log.debug.call_count, 1) self.assertEqual(mock_log.warn.call_count, 0) + mock_log.debug.call_count = 0 + self.assertEqual(ocsp._translate_ocsp_query(*openssl_unknown), False) + self.assertEqual(mock_log.debug.call_count, 1) + self.assertEqual(mock_log.warn.call_count, 0) self.assertEqual(ocsp._translate_ocsp_query(*openssl_expired_ocsp), False) self.assertEqual(mock_log.debug.call_count, 2) self.assertEqual(ocsp._translate_ocsp_query(*openssl_broken), False) @@ -135,6 +139,13 @@ blah.pem: revoked """, """Response verify OK""") +openssl_unknown = ("blah.pem", """ +blah.pem: unknown + This Update: Dec 20 18:00:00 2016 GMT + Next Update: Dec 27 18:00:00 2016 GMT +""", +"Response verify OK") + openssl_broken = ("", "tentacles", "Response verify OK") openssl_expired_ocsp = ("blah.pem", """