Enhancements and Optimizations

• Added charon.ocsp_nonce_len setting that allows specifying the length of nonce values in OCSP requests. Since 5.9.12, the default length is set to 32 bytes, as required by RFC 8954 for newer clients. However, there might be older OCSP servers that don't support that, in which case reducing the length to e.g. 16, which was the previous default, might be necessary (f3af1704d94ed1db5277151d17e0d2661970d3a8).
• OCSP error responses are now dropped immediately instead of trying to verify a non-existent signature (b3e66aca5c4af3721489ff7d934d90bc5108e12b, e7a58f46f97583a532b481bb1805aeb5208af565).
• pki --ocsp --respond replies with an internal error OCSP response if no signer certificate is found (e.g. if the request is sent to the wrong server) instead of failing silently (945be4ece57d92d9c3011efbdf9f27dd60279bc1).

Fixes

• Fixed a regression with handling OCSP error responses that was introduced with 5.9.12 (#2011, 585c40095a3a92e058c5d1d61137232f17f72195, 9c4846cdbe61af324f44f7e59a9e209fef112157).
• Added missing environment variables for cert-install-ssl cert-enroll script script (da45cf9f38207af7dced1762747c2d79ef3a3d02).

Refer to the 5.9.13 milestone for a list of all closed issues and pull requests.