Yes I have that as well SSLVerifyClient require SSLVerifyDepth 10 I also have FIPS enabled (not sure if that matters).
—————————————————————————— Quintin Ash | Senior Software Engineer Tenable Network Security 7021 Columbia Gateway Drive, Suite 500 Columbia, MD 21046 q...@tenable.com W: 443-545-2101 ext. 472 tenable.com <http://www.tenable.com/> On Mon, Apr 17, 2023 at 1:51 PM Daniel Ferradal <dferra...@apache.org> wrote: > > > **** CAUTION: This email was sent from an EXTERNAL source. Think before > clicking links or opening attachments. **** > ------------------------------ > El lun, 17 abr 2023 a las 17:29, Quintin Ash (<q...@tenable.com>) > escribió: > >> Hello, >> >> >> I am working with OCSP and SSL Stapling and I want to know if this case >> is working as expected. >> >> >> I am trying to connect to Apache and I have a certificate that is revoked >> from the OCSP server. The OCSP server is responding as Revoked, but the >> connection is not getting rejected. This is a case where I would suspect >> that the connection should be rejected because the certificate is revoked, >> but it is not happening. >> >> >> Does anyone have experience with OCSP and SSL Stapling and is this >> configured correctly? >> >> >> Configuration: >> >> Apache 2.4.57 >> >> OpenSSL 3.0.8 >> >> >> SSLOCSPEnable on >> >> SSLOCSPDefaultResponder http://x.x.x.x:41233 >> >> SSLOCSPOverrideResponder on >> >> >> Logs: >> >> [Thu Apr 13 10:42:14.734750 2023] [ssl:debug] [pid 1812:tid >> 139698106267200] ssl_util_ocsp.c(97): [client x.x.x.x:60742] AH01973: >> connecting to OCSP responder ‘x.x.x.x:41233' >> >> [Thu Apr 13 10:42:14.734815 2023] [ssl:debug] [pid 1812:tid >> 139698106267200] ssl_util_ocsp.c(125): [client x.x.x.x:60742] AH01975: >> sending request to OCSP responder >> >> [Thu Apr 13 10:42:14.739728 2023] [ssl:debug] [pid 1812:tid >> 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP >> response header: Content-type: application/ocsp-response >> >> [Thu Apr 13 10:42:14.739751 2023] [ssl:debug] [pid 1812:tid >> 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP >> response header: Content-Length: 2273 >> >> [Thu Apr 13 10:42:14.739756 2023] [ssl:debug] [pid 1812:tid >> 139698106267200] ssl_util_ocsp.c(283): [client x.x.x.x:60742] AH01987: OCSP >> response: got 2273 bytes, 2273 total >> >> [Thu Apr 13 10:42:14.741198 2023] [ssl:debug] [pid 1812:tid >> 139698106267200] ssl_util_stapling.c(575): AH01942: >> stapling_renew_response: query response received >> >> [Thu Apr 13 10:42:14.741644 2023] [ssl:error] [pid 1812:tid >> 139698106267200] AH02969: stapling_check_response: response has certificate >> status revoked (reason: n/a) for serial number xxxx >> >> —————————————————————————— >> >> >> >> > > > In the information you provide you are at least missing the Location with: > > SSLVerifyclient require > > Do you have that? > > > -- > Daniel Ferradal > HTTPD Project > #httpd help at Libera.Chat >
