2019.08.20 Let’s Encrypt Incident: Incorrect OCSP responses under certain conditions

[Josh Aas]

On 2019.08.20 at 08:48 UTC we received a report from community member and Apache httpd developer, Stefan Eissing, that under certain conditions our OCSP caching layer would return a valid OCSP response but not the one that was requested. This resulted in our OCSP service acting in violation of RFC 6960.

Upon further investigation we believe that the only condition that would trigger the incorrect behavior was making the OCSP request via POST with the “Expect: 100-continue” header described in RFC 7231 section 5.1.1 set. So far we have no reason to believe that the problem affected any significant portion of OCSP requests.

We quickly determined that the problem was with our CDN, Akamai, since our OCSP responder origin servers were not seeing any of the requests in question. We reported the problem to Akamai and they have fixed the issue.

After initially confirming the report we reached out to multiple other CAs that we believed would also be affected. Other affected CAs should also benefit from the fix that Akamai made.