httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [users@httpd] OCSP-validation fails
Date Wed, 18 Aug 2010 16:14:32 GMT
On Tue, Aug 17, 2010 at 05:26:22PM +0200, Ulf Wahlqvist wrote:
> CASE 1/ If I set:
> SSLOCSPDefaultResponder http://ocsp.trust.telia.com
> SSLOCSPOverrideResponder on
> 
> The validation will fail with "SSL Library Error: error:2707307F:OCSP 
> routines:OCSP_check_validity:status too old"

Presuming this is not a system clock skew issue - mod_ssl enforces a max 
response age of 6 minutes at the moment.  This should be configurable 
but isn't; if you could file a bug on that it'd be great.

> CASE 3/ If I set:
> SSLOCSPDefaultResponder http://ocsp.trust.telia.com
> 
> - Try to authenticate - It will fail as in 2 above.
> - Do NOT close the browser (IE, by the way)
> - set:
> SSLOCSPDefaultResponder http://ocsp.trust.telia.com
> SSLOCSPOverrideResponder on
> - restart using apachectl graceful
> - Retry to authenticate - It will now SUCCEED!

You can reproduce this every time?  You have to misconfigure then 
reconfigure and restart the server to get it working?  Weird.

Regards, Joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message