Resolver and OCSP

bruteforce · November 23, 2020, 11:33am

Hello, please can anyone explain me why am I getting those lines in log:
kresd[6004]: [tls_client] failed to verify peer certificate: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded.

It happens mostly everytime router is rebooted or upgraded. The only way how to solve it is to run:
/etc/init.d/resolver restart then logs are free of errors and resolver works fine.

Main resolver config:

config resolver 'kresd'
	option rundir '/tmp/kresd'
	option log_stderr '1'
	option log_stdout '1'
	option forks '1'
	option keep_cache '1'
	option include_config '/etc/kresd/custom.conf'

config resolver 'common'
    	option port '53'
    	option keyfile '/etc/root.keys'
    	option verbose '0'
    	option msg_buffer_size '4096'
    	option msg_cache_size '50M'
    	option net_ipv6 '0'
    	option net_ipv4 '1'
    	option prefered_resolver 'kresd'
    	option prefetch 'yes'
    	option static_domains '1'
    	option dynamic_domains '0'
    	option ignore_root_key '0'
    	option forward_upstream '0'

and kresd (/etc/kresd/custom.conf):

-- Network settings
net = {
	'127.0.0.1',
	--LAN
	'192.168.1.1'
	}

-- Cache setting
cache.size = 20 * MB

-- Local records
hints.config('/etc/hosts')
hints['turris'] = '192.168.1.1'

-- Because of DNS flagday 2020
net.bufsize(1232)

-- Forward queries to another DNS providers over TLS.
require 'math'
math.randomseed(os.time())
tls_bundle='/etc/ssl/certs/ca-certificates.crt'

dns_providers = {
  { -- CZ.NIC
    {'193.17.47.1', hostname='odvr.nic.cz', ca_file=tls_bundle},
    {'185.43.135.1', hostname='odvr.nic.cz', ca_file=tls_bundle},
    {'2001:148f:ffff::1', hostname='odvr.nic.cz', ca_file=tls_bundle},
    {'2001:148f:fffe::1', hostname='odvr.nic.cz', ca_file=tls_bundle},
  },
  { -- UncensoredDNS
    {'89.233.43.71', hostname='unicast.censurfridns.dk', ca_file=tls_bundle},
    {'2a01:3a0:53:53::0', hostname='unicast.censurfridns.dk', ca_file=tls_bundle},
  }
}

-- Blacklist is being automatically regenarated.

policy.add(policy.rpz(policy.DENY, '/etc/kresd/blacklist.rpz'))
policy.add(policy.all(policy.TLS_FORWARD(dns_providers[math.random(1, #dns_providers)])))

vcunat · November 23, 2020, 2:52pm

Well, GnuTLS thinks that the unicast.censurfridns.dk server sends a bad OCSP staple in the handshake. (also when I try it from my PC) Let me paste (overly) verbose logs for reference

[gnutls] (5) REC[0x17c3160]: Allocating epoch #1
[gnutls] (4) HSK[0x17c3160]: Adv. version: 3.3
[gnutls] (2) Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384)
[gnutls] (2) Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256)
[gnutls] (2) Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256)
[gnutls] (2) Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)
[gnutls] (2) Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384)
[gnutls] (2) Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305)
[gnutls] (2) Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM)
[gnutls] (2) Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1)
[gnutls] (2) Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256)
[gnutls] (2) Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM)
[gnutls] (2) Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1)
[gnutls] (2) Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384)
[gnutls] (2) Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305)
[gnutls] (2) Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1)
[gnutls] (2) Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256)
[gnutls] (2) Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1)
[gnutls] (2) Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384)
[gnutls] (2) Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM)
[gnutls] (2) Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1)
[gnutls] (2) Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256)
[gnutls] (2) Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM)
[gnutls] (2) Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1)
[gnutls] (2) Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384)
[gnutls] (2) Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305)
[gnutls] (2) Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM)
[gnutls] (2) Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1)
[gnutls] (2) Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256)
[gnutls] (2) Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM)
[gnutls] (2) Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (OCSP Status Request/5) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Sending extension OCSP Status Request/5 (5 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Client Certificate Type/19) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Server Certificate Type/20) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Supported Groups/10) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Sent group SECP256R1 (0x17)
[gnutls] (4) EXT[0x17c3160]: Sent group SECP384R1 (0x18)
[gnutls] (4) EXT[0x17c3160]: Sent group SECP521R1 (0x19)
[gnutls] (4) EXT[0x17c3160]: Sent group X25519 (0x1d)
[gnutls] (4) EXT[0x17c3160]: Sent group X448 (0x1e)
[gnutls] (4) EXT[0x17c3160]: Sent group FFDHE2048 (0x100)
[gnutls] (4) EXT[0x17c3160]: Sent group FFDHE3072 (0x101)
[gnutls] (4) EXT[0x17c3160]: Sent group FFDHE4096 (0x102)
[gnutls] (4) EXT[0x17c3160]: Sent group FFDHE6144 (0x103)
[gnutls] (4) EXT[0x17c3160]: Sent group FFDHE8192 (0x104)
[gnutls] (4) EXT[0x17c3160]: Sending extension Supported Groups/10 (22 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Supported EC Point Formats/11) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Sending extension Supported EC Point Formats/11 (2 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (SRP/12) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Signature Algorithms/13) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: sent signature algo (4.1) RSA-SHA256
[gnutls] (4) EXT[0x17c3160]: sent signature algo (8.9) RSA-PSS-SHA256
[gnutls] (4) EXT[0x17c3160]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256
[gnutls] (4) EXT[0x17c3160]: sent signature algo (4.3) ECDSA-SHA256
[gnutls] (4) EXT[0x17c3160]: sent signature algo (8.7) EdDSA-Ed25519
[gnutls] (4) EXT[0x17c3160]: sent signature algo (5.1) RSA-SHA384
[gnutls] (4) EXT[0x17c3160]: sent signature algo (8.10) RSA-PSS-SHA384
[gnutls] (4) EXT[0x17c3160]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384
[gnutls] (4) EXT[0x17c3160]: sent signature algo (5.3) ECDSA-SHA384
[gnutls] (4) EXT[0x17c3160]: sent signature algo (8.8) EdDSA-Ed448
[gnutls] (4) EXT[0x17c3160]: sent signature algo (6.1) RSA-SHA512
[gnutls] (4) EXT[0x17c3160]: sent signature algo (8.11) RSA-PSS-SHA512
[gnutls] (4) EXT[0x17c3160]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512
[gnutls] (4) EXT[0x17c3160]: sent signature algo (6.3) ECDSA-SHA512
[gnutls] (4) EXT[0x17c3160]: sent signature algo (2.1) RSA-SHA1
[gnutls] (4) EXT[0x17c3160]: sent signature algo (2.3) ECDSA-SHA1
[gnutls] (4) EXT[0x17c3160]: Sending extension Signature Algorithms/13 (34 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (SRTP/14) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Heartbeat/15) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Preparing extension (ALPN/16) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Encrypt-then-MAC/22) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Sending extension Encrypt-then-MAC/22 (0 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Extended Master Secret/23) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Sending extension Extended Master Secret/23 (0 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Session Ticket/35) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Sending extension Session Ticket/35 (0 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Key Share/51) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: sending key share for SECP256R1
[gnutls] (4) EXT[0x17c3160]: sending key share for X25519
[gnutls] (4) EXT[0x17c3160]: Sending extension Key Share/51 (107 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Supported Versions/43) for 'client hello'
[gnutls] (2) Advertizing version 3.4
[gnutls] (2) Advertizing version 3.3
[gnutls] (4) EXT[0x17c3160]: Sending extension Supported Versions/43 (5 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Post Handshake Auth/49) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Safe Renegotiation/65281) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Sending extension Safe Renegotiation/65281 (1 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Server Name Indication/0) for 'client hello'
[gnutls] (2) HSK[0x17c3160]: sent server name: 'unicast.censurfridns.dk'
[gnutls] (4) EXT[0x17c3160]: Sending extension Server Name Indication/0 (28 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Cookie/44) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Early Data/42) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Preparing extension (PSK Key Exchange Modes/45) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Sending extension PSK Key Exchange Modes/45 (3 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Record Size Limit/28) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Sending extension Record Size Limit/28 (2 bytes)
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Maximum Record Size/1) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Preparing extension (ClientHello Padding/21) for 'client hello'
[gnutls] (4) EXT[0x17c3160]: Preparing extension (Pre Shared Key/41) for 'client hello'
[gnutls] (4) HSK[0x17c3160]: CLIENT HELLO was queued [364 bytes]
[gnutls] (5) REC[0x17c3160]: Preparing Packet Handshake(22) with length: 364 and min pad: 0
[gnutls] (5) REC[0x17c3160]: Sent Packet[1] Handshake(22) in epoch 0 and length: 369
[gnutls] (3) ASSERT: buffers.c[get_last_packet]:1168
[gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: buffers.c[get_last_packet]:1168
[gnutls] (5) REC[0x17c3160]: SSL 3.3 Handshake packet received. Epoch 0, length: 123
[gnutls] (5) REC[0x17c3160]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x17c3160]: Received Packet Handshake(22) with length: 123
[gnutls] (5) REC[0x17c3160]: Decrypted Packet[0] Handshake(22) with length: 123
[gnutls] (4) HSK[0x17c3160]: SERVER HELLO (2) was received. Length 119[119], frag offset 0, frag length: 119, sequence: 0
[gnutls] (3) ASSERT: buffers.c[get_last_packet]:1159
[gnutls] (3) ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1411
[gnutls] (4) HSK[0x17c3160]: Server's version: 3.3
[gnutls] (4) EXT[0x17c3160]: Parsing extension 'Supported Versions/43' (2 bytes)
[gnutls] (4) EXT[0x17c3160]: Negotiated version: 3.4
[gnutls] (4) HSK[0x17c3160]: Selected cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) EXT[0x17c3160]: Parsing extension 'Key Share/51' (69 bytes)
[gnutls] (4) HSK[0x17c3160]: Selected group SECP256R1 (2)
[gnutls] (2) EXT[0x17c3160]: client generated SECP256R1 shared key
[gnutls] (5) REC[0x17c3160]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
[gnutls] (5) REC[0x17c3160]: Sent Packet[2] ChangeCipherSpec(20) in epoch 0 and length: 6
[gnutls] (4) REC[0x17c3160]: Sent ChangeCipherSpec
[gnutls] (5) REC[0x17c3160]: Initializing epoch #1
[gnutls] (5) REC[0x17c3160]: Epoch #1 ready
[gnutls] (4) HSK[0x17c3160]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (3) ASSERT: buffers.c[get_last_packet]:1168
[gnutls] (5) REC[0x17c3160]: SSL 3.3 ChangeCipherSpec packet received. Epoch 1, length: 1
[gnutls] (5) REC[0x17c3160]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x17c3160]: Received Packet ChangeCipherSpec(20) with length: 1
[gnutls] (5) REC[0x17c3160]: SSL 3.3 Application Data packet received. Epoch 1, length: 39
[gnutls] (5) REC[0x17c3160]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x17c3160]: Received Packet Application Data(23) with length: 39
[gnutls] (5) REC[0x17c3160]: Decrypted Packet[0] Handshake(22) with length: 22
[gnutls] (4) HSK[0x17c3160]: ENCRYPTED EXTENSIONS (8) was received. Length 18[18], frag offset 0, frag length: 18, sequence: 0
[gnutls] (4) HSK[0x17c3160]: parsing encrypted extensions
[gnutls] (4) EXT[0x17c3160]: Parsing extension 'Supported Groups/10' (12 bytes)
[gnutls] (3) ASSERT: buffers.c[get_last_packet]:1168
[gnutls] (5) REC[0x17c3160]: SSL 3.3 Application Data packet received. Epoch 1, length: 3123
[gnutls] (5) REC[0x17c3160]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x17c3160]: Received Packet Application Data(23) with length: 3123
[gnutls] (5) REC[0x17c3160]: Decrypted Packet[1] Handshake(22) with length: 3106
[gnutls] (4) HSK[0x17c3160]: CERTIFICATE (11) was received. Length 3102[3102], frag offset 0, frag length: 3102, sequence: 0
[gnutls] (3) ASSERT: buffers.c[get_last_packet]:1159
[gnutls] (3) ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1411
[gnutls] (4) HSK[0x17c3160]: parsing certificate message
[gnutls] (4) Found OCSP response on cert 0
[gnutls] (3) ASSERT: buffers.c[get_last_packet]:1168
[gnutls] (5) REC[0x17c3160]: SSL 3.3 Application Data packet received. Epoch 1, length: 127
[gnutls] (5) REC[0x17c3160]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x17c3160]: Received Packet Application Data(23) with length: 127
[gnutls] (5) REC[0x17c3160]: Decrypted Packet[2] Handshake(22) with length: 110
[gnutls] (4) HSK[0x17c3160]: CERTIFICATE VERIFY (15) was received. Length 106[106], frag offset 0, frag length: 106, sequence: 0
[gnutls] (4) HSK[0x17c3160]: Parsing certificate verify
[gnutls] (4) HSK[0x17c3160]: verifying TLS 1.3 handshake data using ECDSA-SECP384R1-SHA384
[gnutls] (3) ASSERT: common.c[_gnutls_x509_der_encode]:855
[gnutls] (3) ASSERT: ocsp.c[find_signercert]:2058
[gnutls] (3) ASSERT: ocsp.c[gnutls_ocsp_resp_verify]:2329
[gnutls] (3) ASSERT: common.c[_gnutls_x509_der_encode]:855
[gnutls] (3) ASSERT: ocsp.c[find_signercert]:2058
[gnutls] (3) ASSERT: mpi.c[wrap_nettle_mpi_print]:60
[gnutls] (3) ASSERT: mpi.c[wrap_nettle_mpi_print]:60
[gnutls] (3) ocsp signer: subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
[gnutls] (3) ASSERT: ocsp.c[gnutls_ocsp_resp_get_single]:1623
[gnutls] (1) There is a newer OCSP response but was not provided by the server
[gnutls] (3) ASSERT: ocsp-api.c[gnutls_ocsp_status_request_get2]:98
[gnutls] (3) ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:469
[gnutls] (3) ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:469
[tls_client] failed to verify peer certificate: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. 
[gnutls] (3) ASSERT: handshake.c[_gnutls_run_verify_callback]:2901
[gnutls] (3) ASSERT: handshake-tls13.c[_gnutls13_handshake_client]:150
[tls_client] gnutls_handshake failed: GNUTLS_E_CERTIFICATE_ERROR (-43)
[gnutls] (5) REC: Sending Alert[2|42] - Certificate is bad
[gnutls] (5) REC[0x17c3160]: Preparing Packet Alert(21) with length: 2 and min pad: 0
[gnutls] (5) REC[0x17c3160]: Sent Packet[1] Alert(21) in epoch 1 and length: 24

EDIT: the most interesting line would probably be

There is a newer OCSP response but was not provided by the server

julemand101 · November 23, 2020, 5:49pm

Correct. If using the openssl s_client you can see the problem clearly:

$ openssl s_client -connect unicast.censurfridns.dk:443 -tlsextdebug -status
...
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Oct 28 14:13:00 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 0338245FE1E5CA60D98B3E5FD260D1F90093
    Cert Status: good
    This Update: Oct 28 14:00:00 2020 GMT
    Next Update: Nov  4 14:00:00 2020 GMT
...

So the OCSP stamp provided by the server is out of date.

bruteforce · November 23, 2020, 6:53pm

Good point both of you. What I can see no is this:

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Nov 21 14:13:00 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 0338245FE1E5CA60D98B3E5FD260D1F90093
    Cert Status: good
    This Update: Nov 21 14:00:00 2020 GMT
    Next Update: Nov 28 14:00:00 2020 GMT

    Signature Algorithm: sha256WithRSAEncryption

So they probably did update - like now?
EDIT: Anyway seems that the problem is with this server I mean unicast.censurfridns.dk, right?

vcunat · November 23, 2020, 7:32pm

It seems they fixed their server’s problem.

julemand101 · November 23, 2020, 9:22pm

The reason why it works is because I contacted the owner of censurfridns.dk and he fixed it rather quickly.

bruteforce · November 24, 2020, 8:14am

Well done! Thank you very much.
This ticket can be closed.