https://bz.apache.org/bugzilla/show_bug.cgi?id=60457
Bug ID: 60457
Summary: SSLOCSPEnable setting is not inherited from server
config into vhost config
Product: Apache httpd-2
Version: 2.4.23
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 34508
--> https://bz.apache.org/bugzilla/attachment.cgi?id=34508&action=edit
patch proposal
When SSLOCSPEnable is set to On in global/server configuration, it is not
inherited by VirtualHosts. If I move the configurations inside the VirtualHost,
failure happens as expected and SSL handshake is not completed. A patch is
attached that works for me. Patch was generated for 2.4.23.
Reproducer:
This is a simplified reproducer that does not actually perform OCSP check but
you can see logging where it at least gets into OCSP code:
1. Install httpd and mod_ssl
2. Add the following configurations in ssl.conf but outside of the VirtualHost.
I did have to create a CA and client cert but the Responder URL goes to
nowhere.
SSLCACertificateFile /tmp/cacert.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLOCSPEnable On
SSLOCSPDefaultResponder http://localhost:9999/
SSLOCSPOverrideResponder On
3. Send request with a certificate signed by the /tmp/cacert.crt
# curl -I -E ./cert.crt:test --key ./privkey.key -k https://localhost/
HTTP/1.1 200 OK
4. The request above succeeds but should not because the OCSP responder is
unreachable and cert cannot be validated.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
