https://bz.apache.org/bugzilla/show_bug.cgi?id=66677
Bug ID: 66677
Summary: Enable OCSP https URI
Product: Apache httpd-2
Version: 2.4.57
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: d.schiaroli....@gmail.com
Target Milestone: ---
At this moment, certificate without http scheme as ocsp responder uri,
including https can't be verified. This probably following "Baseline
Requirements for the Issuance and Management of Publicly-Trusted Certificates"
section 7.1.2.2c.
This is an excess of caution in my opinion because it implies that ocsp
responder may all be under an unsecure http environment.
Furthermore rfc6960 says that "Where privacy
is a requirement, OCSP transactions exchanged using HTTP MAY be
protected using either Transport Layer Security/Secure Socket Layer
(TLS/SSL) or some other lower-layer protocol."
This is the line of code that deny the ocsp responder https uri:
if (ap_cstr_casecmp(u->scheme, "http") != 0) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c, APLOGNO(01920)
"cannot handle OCSP responder URI '%s'", s);
return NULL;
}
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
