httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Date Tue, 07 Jun 2011 02:54:31 GMT

--- Comment #4 from Koichi Sugimoto <> 2011-06-07 02:54:31
UTC ---
I've now been investigating if the stapling correctry works.
The build successfully conpleted and the apache process invoked without error.
But when I access to the apache via IE8 and firefox 3.5, no OCSP request comes
from the apache.

The browser's behaviour:
IE8 directly requests to the OCSP responder.
Firefox shows "Invalid OCSP signing certificate in OCSP response." and stops
the connection.

The following is my environment:
The version of the apache is httpd-2.3.12-beta.
The openssl version is 1.0.0.
The OS is CentOS 5.

The corresponding configuration has the following fields:
SSLStaplingCache dbm:/tmp/staples
SSLUseStapling on
SSLCACertificateFile "/usr/local/apache_ocsp/conf/server-ca.crt"

The following error log was generated by the apache:
[Mon Jun 06 19:01:50.275314 2011] [ssl:error] [pid 17404:tid 3075525520]
stapling_check_response: response times invalid
[Mon Jun 06 19:01:50.275376 2011] [ssl:error] [pid 17404:tid 3075525520]
stapling_renew_response: error in retreived response!
[Mon Jun 06 19:01:50.275394 2011] [ssl:error] [pid 17404:tid 3075525520]
stapling_cache_response: OCSP response session store error!
[Mon Jun 06 19:01:50.275404 2011] [ssl:error] [pid 17404:tid 3075525520]
stapling_renew_response: error caching response!

After that I've adjusted the machine time, but nothing changed.

Is there any code fix required ?
Or some additional setting ?

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message