Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-241

SSLOCSPEnable setting is not inherited from server config into vhost config

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • httpd 2.4.23 SP1 DR2
    • httpd 2.4.6 GA, httpd 2.4.23 CR4
    • httpd
    • None
    • Documentation (Ref Guide, User Guide, etc.), Release Notes
    • DR2
    • Hide

      Insert SSLOCSPEnable into each VirtualHost where you want OCSP.

      Show
      Insert SSLOCSPEnable into each VirtualHost where you want OCSP.
    • Hide

      This is a simplified reproducer that does not actually perform OCSP check but you can see logging where it at least gets into OCSP code:

      1. Install httpd and mod_ssl

      2. Add the following configurations in ssl.conf but outside of the VirtualHost. I did have to create a CA and client cert but the Responder URL goes to nowhere.

      SSLCACertificateFile /tmp/cacert.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLOCSPEnable On
SSLOCSPDefaultResponder http://localhost:9999/
SSLOCSPOverrideResponder On

      3. Send request with a certificate signed by the /tmp/cacert.crt

      # curl -I -E ./cert.crt:test --key ./privkey.key -k https://localhost/
HTTP/1.1 200 OK

      4. The request above succeeds but should not because the OCSP responder is unreachable and cert cannot be validated.

      Show
      This is a simplified reproducer that does not actually perform OCSP check but you can see logging where it at least gets into OCSP code: 1. Install httpd and mod_ssl 2. Add the following configurations in ssl.conf but outside of the VirtualHost. I did have to create a CA and client cert but the Responder URL goes to nowhere. SSLCACertificateFile /tmp/cacert.crt SSLVerifyClient require SSLVerifyDepth 1 SSLOCSPEnable On SSLOCSPDefaultResponder http: //localhost:9999/ SSLOCSPOverrideResponder On 3. Send request with a certificate signed by the /tmp/cacert.crt # curl -I -E ./cert.crt:test --key ./privkey.key -k https: //localhost/ HTTP/1.1 200 OK 4. The request above succeeds but should not because the OCSP responder is unreachable and cert cannot be validated.

      When SSLOCSPEnable is set to On in global/server configuration, it is not inherited by VirtualHosts.

      If I move the configurations inside the VirtualHost, failure happens as expected and SSL handshake is not completed.

      A patch is attached that works for me. Patch was generated for jbcs-httpd24-httpd-2.4.23-102.jbcs.el6

              gzaronik@redhat.com George Zaronikas
              rhn-support-rbost Robert Bost
              Karm Karm Karm Karm
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: