A successfully fetched but unusable OCSP response prevents fetching other OCSP responses

[atmenta]

ocsp_client.fetch returns the first successfully fetched OCSP response:

certvalidator/certvalidator/ocsp_client.py

Lines 90 to 107 in 5bc5c39

	for ocsp_url in cert.ocsp_urls:
	try:
	request = Request(ocsp_url)
	request.add_header('Accept', 'application/ocsp-response')
	request.add_header('Content-Type', 'application/ocsp-request')
	request.add_header('User-Agent', user_agent)
	response = urlopen(request, ocsp_request.dump(), timeout)
	ocsp_response = ocsp.OCSPResponse.load(response.read())
	request_nonce = ocsp_request.nonce_value
	response_nonce = ocsp_response.nonce_value
	if request_nonce and response_nonce and request_nonce.native != response_nonce.native:
	raise errors.OCSPValidationError(
	'Unable to verify OCSP response since the request and response nonces do not match'
	)
	return ocsp_response
	except (URLError) as e:
	last_e = e

This is the only response which is available for callers: ValidationContext.retrieve_ocsps and in turn validate.verify_ocsp_response. Processing of the response happens in the latter of those. If the revocation status of the certificate can not be determined successfully from that response, at that point there is no way to fetch a new OCSP response, even if that response was not fetched from the last URL from cert.ocsp_urls (i.e. there are more URLs which could be used to fetch OCSP responses from).

To potentially utilize responses from all OCSP responders referenced by the certificate without wastefully fetching responses which later may prove to be unneeded, one could refactor ocsp_client.fetch and ValidationContext.retrieve_ocsps to become generators yielding "a list of" OCSP responses one by one.

[wbond]

Yes, it does seem that currently it will short circuit and fail if for some reason the first OCSP response is invalid.