From 6fbf3da1486d4888016dc98e3056ece0274ffbe0 Mon Sep 17 00:00:00 2001 From: Steven Clark Date: Fri, 17 Mar 2023 14:07:04 -0400 Subject: [PATCH] Add known issue about OCSP GET redirection responses (#19523) --- website/content/docs/upgrading/upgrade-to-1.12.x.mdx | 2 ++ website/content/docs/upgrading/upgrade-to-1.13.x.mdx | 4 +++- website/content/partials/ocsp-redirect.mdx | 11 +++++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 website/content/partials/ocsp-redirect.mdx diff --git a/website/content/docs/upgrading/upgrade-to-1.12.x.mdx b/website/content/docs/upgrading/upgrade-to-1.12.x.mdx index 13b716f17..ede60be52 100644 --- a/website/content/docs/upgrading/upgrade-to-1.12.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.12.x.mdx @@ -182,3 +182,5 @@ As a workaround, OCSP POST requests can be used which are unaffected. Affects version 1.12.3. A fix will be released in 1.12.4. @include 'tokenization-rotation-persistence.mdx' + +@include 'ocsp-redirect.mdx' diff --git a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx index 276e28a2c..71254b098 100644 --- a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx @@ -78,4 +78,6 @@ are unaffected. ## Known Issues -@include 'tokenization-rotation-persistence.mdx' \ No newline at end of file +@include 'tokenization-rotation-persistence.mdx' + +@include 'ocsp-redirect.mdx' diff --git a/website/content/partials/ocsp-redirect.mdx b/website/content/partials/ocsp-redirect.mdx new file mode 100644 index 000000000..e63337cad --- /dev/null +++ b/website/content/partials/ocsp-redirect.mdx @@ -0,0 +1,11 @@ +### PKI OCSP GET requests can return HTTP redirect responses + +If a base64 encoded OCSP request contains consecutive '/' characters, the GET request +will return a 301 permanent redirect response. If the redirection is followed, the +request will not decode as it will not be a properly base64 encoded request. + +As a workaround, OCSP POST requests can be used which are unaffected. + +#### Impacted Versions + +Affects all current versions of 1.12.x and 1.13.x