https://bz.apache.org/bugzilla/show_bug.cgi?id=66677
Bug ID: 66677 Summary: Enable OCSP https URI Product: Apache httpd-2 Version: 2.4.57 Hardware: All OS: All Status: NEW Severity: minor Priority: P2 Component: mod_ssl Assignee: bugs@httpd.apache.org Reporter: d.schiaroli....@gmail.com Target Milestone: --- At this moment, certificate without http scheme as ocsp responder uri, including https can't be verified. This probably following "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" section 7.1.2.2c. This is an excess of caution in my opinion because it implies that ocsp responder may all be under an unsecure http environment. Furthermore rfc6960 says that "Where privacy is a requirement, OCSP transactions exchanged using HTTP MAY be protected using either Transport Layer Security/Secure Socket Layer (TLS/SSL) or some other lower-layer protocol." This is the line of code that deny the ocsp responder https uri: if (ap_cstr_casecmp(u->scheme, "http") != 0) { ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c, APLOGNO(01920) "cannot handle OCSP responder URI '%s'", s); return NULL; } -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org