Forwarded from apa...@apache.org. If you choose to respond, please respond to the original sender.
BKP ---------- Forwarded message --------- From: <wh...@mail.ustc.edu.cn> Date: Tue, Jun 24, 2025 at 8:05 AM Subject: OCSP Stapling Issues Observed in Apache (2.4.58) To: apa...@apache.org <apa...@apache.org> Dear Apache HTTP Server Team, I am a graduate student at the School of Cyber Science and Technology, University of Science and Technology of China. During our experimental analysis of TLS implementations, we observed several potential issues related to the OCSP Stapling mechanism in Apache. I would like to share the findings with you in the hope that they may help improve the robustness and security of the server. Findings: No Prefetching of OCSP Responses: Apache does not prefetch OCSP responses ahead of time. Instead, it initiates OCSP requests only when a client attempts to establish a connection. This behavior can introduce noticeable delays during the TLS handshake, particularly when the OCSP responder is slow or unreachable. Stale OCSP Responses Not Immediately Cleared: Once an OCSP response expires, Apache does not immediately remove it from the cache. The server may continue to serve the expired response for some time, potentially impacting clients that strictly validate OCSP timestamps. Invalid Serial Numbers in OCSP Responses Accepted: Apache appears to accept and serve OCSP responses that contain certificate serial numbers which do not match the corresponding server certificate. Additionally, we recommend that web servers enable OCSP stapling by default to increase its adoption. This is crucial for privacy protection and performance improvement, as most web administrators do not pay attention to this option. Alternatively, if a certificate includes the OCSP Must-Staple extension, OCSP stapling should be explicitly enforced; otherwise, browsers like Firefox may reject the connection. Best regards, University of Science and Technology of China HengSheng Wang Brian Proffitt VP, Marketing & Publicity VP, Conferences
