Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-241

SSLOCSPEnable setting is not inherited from server config into vhost config

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • httpd 2.4.23 SP1 DR2
    • httpd 2.4.6 GA, httpd 2.4.23 CR4
    • httpd
    • None
    • Documentation (Ref Guide, User Guide, etc.), Release Notes
    • DR2
    • Hide

      Insert SSLOCSPEnable into each VirtualHost where you want OCSP.

      Show
      Insert SSLOCSPEnable into each VirtualHost where you want OCSP.
    • Hide

      This is a simplified reproducer that does not actually perform OCSP check but you can see logging where it at least gets into OCSP code:

      1. Install httpd and mod_ssl

      2. Add the following configurations in ssl.conf but outside of the VirtualHost. I did have to create a CA and client cert but the Responder URL goes to nowhere.

      SSLCACertificateFile /tmp/cacert.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLOCSPEnable On
SSLOCSPDefaultResponder http://localhost:9999/
SSLOCSPOverrideResponder On

      3. Send request with a certificate signed by the /tmp/cacert.crt

      # curl -I -E ./cert.crt:test --key ./privkey.key -k https://localhost/
HTTP/1.1 200 OK

      4. The request above succeeds but should not because the OCSP responder is unreachable and cert cannot be validated.

      Show
      This is a simplified reproducer that does not actually perform OCSP check but you can see logging where it at least gets into OCSP code: 1. Install httpd and mod_ssl 2. Add the following configurations in ssl.conf but outside of the VirtualHost. I did have to create a CA and client cert but the Responder URL goes to nowhere. SSLCACertificateFile /tmp/cacert.crt SSLVerifyClient require SSLVerifyDepth 1 SSLOCSPEnable On SSLOCSPDefaultResponder http: //localhost:9999/ SSLOCSPOverrideResponder On 3. Send request with a certificate signed by the /tmp/cacert.crt # curl -I -E ./cert.crt:test --key ./privkey.key -k https: //localhost/ HTTP/1.1 200 OK 4. The request above succeeds but should not because the OCSP responder is unreachable and cert cannot be validated.

    Description

      When SSLOCSPEnable is set to On in global/server configuration, it is not inherited by VirtualHosts.

      If I move the configurations inside the VirtualHost, failure happens as expected and SSL handshake is not completed.

      A patch is attached that works for me. Patch was generated for jbcs-httpd24-httpd-2.4.23-102.jbcs.el6

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JWS-613 SSLOCSPEnable setting is not inherited from server config into vhost config

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBCS-539 SSLOCSPEnable setting is not inherited from server config into vhost config

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              gzaronik@redhat.com George Zaronikas
              rhn-support-rbost Robert Bost
              Michal Karm Michal Karm
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: