Uploaded image for project: 'JBoss Web Server'
  1. JBoss Web Server
  2. JWS-613

SSLOCSPEnable setting is not inherited from server config into vhost config

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • JWS 3.0.3 GA, JWS 3.1.0 CR2
    • httpd
    • None
    • Documentation (Ref Guide, User Guide, etc.), Release Notes
    • Hide

      Insert SSLOCSPEnable into each VirtualHost where you want OCSP.

      Show
      Insert SSLOCSPEnable into each VirtualHost where you want OCSP.
    • Hide

      This is a simplified reproducer that does not actually perform OCSP check but you can see logging where it at least gets into OCSP code:

      1. Install httpd and mod_ssl

      2. Add the following configurations in ssl.conf but outside of the VirtualHost. I did have to create a CA and client cert but the Responder URL goes to nowhere.

      SSLCACertificateFile /tmp/cacert.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLOCSPEnable On
SSLOCSPDefaultResponder http://localhost:9999/
SSLOCSPOverrideResponder On

      3. Send request with a certificate signed by the /tmp/cacert.crt

      # curl -I -E ./cert.crt:test --key ./privkey.key -k https://localhost/
HTTP/1.1 200 OK

      4. The request above succeeds but should not because the OCSP responder is unreachable and cert cannot be validated.

      Show
      This is a simplified reproducer that does not actually perform OCSP check but you can see logging where it at least gets into OCSP code: 1. Install httpd and mod_ssl 2. Add the following configurations in ssl.conf but outside of the VirtualHost. I did have to create a CA and client cert but the Responder URL goes to nowhere. SSLCACertificateFile /tmp/cacert.crt SSLVerifyClient require SSLVerifyDepth 1 SSLOCSPEnable On SSLOCSPDefaultResponder http: //localhost:9999/ SSLOCSPOverrideResponder On 3. Send request with a certificate signed by the /tmp/cacert.crt # curl -I -E ./cert.crt:test --key ./privkey.key -k https: //localhost/ HTTP/1.1 200 OK 4. The request above succeeds but should not because the OCSP responder is unreachable and cert cannot be validated.

      When SSLOCSPEnable is set to On in global/server configuration, it is not inherited by VirtualHosts.

      If I move the configurations inside the VirtualHost, failure happens as expected and SSL handshake is not completed.

      A patch is attached that works for me. Patch was generated for jbcs-httpd24-httpd-2.4.23-102.jbcs.el6

        1. ocsp-enable-fix.patch
          0.9 kB

            rhn-engineering-jclere Jean-Frederic Clere
            rhn-support-rbost Robert Bost
            Michal Karm Michal Karm
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: