httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 60457] New: SSLOCSPEnable setting is not inherited from server config into vhost config
Date Thu, 08 Dec 2016 19:33:07 GMT

            Bug ID: 60457
           Summary: SSLOCSPEnable setting is not inherited from server
                    config into vhost config
           Product: Apache httpd-2
           Version: 2.4.23
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
  Target Milestone: ---

Created attachment 34508
patch proposal

When SSLOCSPEnable is set to On in global/server configuration, it is not
inherited by VirtualHosts. If I move the configurations inside the VirtualHost,
failure happens as expected and SSL handshake is not completed. A patch is
attached that works for me. Patch was generated for 2.4.23.


This is a simplified reproducer that does not actually perform OCSP check but
you can see logging where it at least gets into OCSP code:

1. Install httpd and mod_ssl
2. Add the following configurations in ssl.conf but outside of the VirtualHost.
I did have to create a CA and client cert but the Responder URL goes to

 SSLCACertificateFile /tmp/cacert.crt
 SSLVerifyClient require
 SSLVerifyDepth 1
 SSLOCSPDefaultResponder http://localhost:9999/
 SSLOCSPOverrideResponder On

3. Send request with a certificate signed by the /tmp/cacert.crt

 # curl -I -E ./cert.crt:test --key ./privkey.key -k https://localhost/
 HTTP/1.1 200 OK

4. The request above succeeds but should not because the OCSP responder is
unreachable and cert cannot be validated.

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message