httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 49784] OCSP-validation fails with cert that validates correctly using OpenSSL directly
Date Thu, 19 Aug 2010 15:04:24 GMT

--- Comment #2 from ulf wahlqvist <> 2010-08-19 11:04:21
EDT ---


I'm trying to get Apache to do Client certificate verification with
It works without OCSP, but OCSP-validation fails when I turn it on.
OCSP-validation works when using OpenSSL directly from command-line.
The error is "OCSP_check_validity:status too old", but that doesn't make sense
because the clocks are within 2 seconds. 

Steps to Reproduce:

I use a cardbased certificate issued by Telia for use by locol government etc. 
I'm not using the OCSP-responder address in the certificates "Authority Info
Access" (, because it is not reachable from my
system. However, the same responder is reachable using another address

I have verified that if I use openssl directly from command line it will verify
>openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile 
>/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer 
>-text -url
Response verify OK
/mnt/download/uwcert.cer: good
        This Update: Jul 29 10:43:41 2010 GMT
        Next Update: Jul 30 10:43:45 2010 GMT


// Logfiles appended //

CASE 1/ If I set:
SSLOCSPDefaultResponder SSLOCSPOverrideResponder on

The validation will fail with "SSL Library Error: error:2707307F:OCSP
routines:OCSP_check_validity:status too old". 
I have set GMT as the timezone and made sure that time is synchronized.
According to the log the time-stamp from my system and the OCSP-responder is
within 1 second.

CASE 2/ If I set:

The validation of the first cert in the chain will succeed but the second will
fail with "(110)Connection timed out: could not connect to OCSP responder
''". This is the expected behavior because my computer
does not have access to

CASE 3/ If I set:

- Try to authenticate - It will fail as in 2 above.
- Do NOT close the browser (IE, by the way)
- set: SSLOCSPDefaultResponder
SSLOCSPOverrideResponder on
- restart using apachectl graceful
- Retry to authenticate - It will now SUCCEED!

I discovered this by accident, but it is reproducible.


[root@fedoragui crl]# uname -a
Linux #1 SMP Thu May 27 03:11:56
UTC 2010 i686 i686 i386 GNU/Linux

[root@fedoragui logs]# httpd -v
Server version: Apache/2.3.6 (Unix)
Server built:   Jul 16 2010 15:31:39

[root@fedoragui logs]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010

Apache configuration:
./configure --enable-ssl

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message