httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 60457] New: SSLOCSPEnable setting is not inherited from server config into vhost config
Date Thu, 08 Dec 2016 19:33:07 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=60457

            Bug ID: 60457
           Summary: SSLOCSPEnable setting is not inherited from server
                    config into vhost config
           Product: Apache httpd-2
           Version: 2.4.23
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: rbost@redhat.com
  Target Milestone: ---

Created attachment 34508
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=34508&action=edit
patch proposal

When SSLOCSPEnable is set to On in global/server configuration, it is not
inherited by VirtualHosts. If I move the configurations inside the VirtualHost,
failure happens as expected and SSL handshake is not completed. A patch is
attached that works for me. Patch was generated for 2.4.23.

Reproducer:

This is a simplified reproducer that does not actually perform OCSP check but
you can see logging where it at least gets into OCSP code:

1. Install httpd and mod_ssl
2. Add the following configurations in ssl.conf but outside of the VirtualHost.
I did have to create a CA and client cert but the Responder URL goes to
nowhere.

 SSLCACertificateFile /tmp/cacert.crt
 SSLVerifyClient require
 SSLVerifyDepth 1
 SSLOCSPEnable On
 SSLOCSPDefaultResponder http://localhost:9999/
 SSLOCSPOverrideResponder On

3. Send request with a certificate signed by the /tmp/cacert.crt

 # curl -I -E ./cert.crt:test --key ./privkey.key -k https://localhost/
 HTTP/1.1 200 OK

4. The request above succeeds but should not because the OCSP responder is
unreachable and cert cannot be validated.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message