On 9/3/25 5:49 PM, Stefan Eissing via dev wrote:
> https://docs.digicert.com/en/whats-new/change-log/certcentral-change-log.html#digicert-ending-support-for-http-1-0-connections-for-ocsp-and-crl-certificate-status-verification-checks-619426
Thanks for the heads up.
>
> On rather short notice, they switch off HTTP/1.0 in their OCSP responder.
> That means our implementation of stapling in mod_ssl will no longer work, I
> assume.
Agreed. But as HTTP/1.1 is still accepted and we already set a host and
connection header it should be easy to fix:
Index: modules/ssl/ssl_util_ocsp.c
===================================================================
--- modules/ssl/ssl_util_ocsp.c (revision 1928174)
+++ modules/ssl/ssl_util_ocsp.c (working copy)
@@ -46,7 +46,7 @@
BIO_printf(bio, "http://%s:%d";,
uri->hostname, uri->port);
}
- BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
+ BIO_printf(bio, "%s%s%s HTTP/1.1\r\n"
"Host: %s:%d\r\n"
"Content-Type: application/ocsp-request\r\n"
"Connection: close\r\n"
Regards
RĂ¼diger
