Skip to content

URL encoding for OCSP responder requests is broken #7183

New issue
New issue
Open
#7184
Open
URL encoding for OCSP responder requests is broken#7183
#7184
Labels
defectSuspected defect such as a bug or regression
@azerbe

Description

@azerbe
azerbe
opened on Aug 19, 2025

Observed behavior

NATS does not properly encode the requests to an OCSP responder when doing revocation checks against a PKI. The base64 encoded certificate was missing. This can lead to problematic characters in the URL and failed revocation checks.

Expected behavior

NATS correctly encodes the request in the X.690 format as specified here: https://datatracker.ietf.org/doc/html/rfc6960#appendix-A.1

This is part of the ADR-38: OCSP Peer Verification feature.

Server and client version

NATS Version: 2.11.8

Host environment

NATS is running on Kubernetes in a single cluster with multiple servers. But it's irrelevant for this issue.

Steps to reproduce

  1. Enable OCSP in the config and add the ocsp_peer config, like described in the ADR-38 document
  2. Verify the requests on the PKI side. I know this is not easy to replicate, but I attached some screenshots of logs that show the incoming requests in detail.
Image

The two requests at the bottom are from NATS and you can see the / in the request URL

Metadata

Metadata

Assignees

No one assigned

    Labels

    defectSuspected defect such as a bug or regression

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions