We're updating the issue view to help you get more done. 

Some certificate chain validations fail with 'Certificate does not specify OCSP responder'

Description

When Spark connects to a server using TLS, it will validate the certificate chain that's presented by the server.

One of the validation checks that are performed makes sure that the certificate has not been revoked by the original issuer. One of the mechanisms that can be used for this is OCSP.

When servers present a certificate chain that is 'complete' (a chain that includes all certificates, including the leaf/end-entity and root CA certificate), then OCSP validation in Spark fails with this error: "Certificate does not specify OCSP responder"

The cause for this is that the entire chain is being validated, including the root CA certificate / trust anchor. Root certificates do not contain CRL and OSCP links, and should be excluded. See https://stackoverflow.com/a/38128883

Environment

None

Acceptance Test - Entry

None

Assignee

Guus der Kinderen

Reporter

Guus der Kinderen

Labels

None

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Critical
Configure