|Summary:||Configuration of trusted OCSP responder certificates|
|Product:||Apache httpd-2||Reporter:||Dr Stephen Henson <steve>|
|Component:||mod_ssl||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
|Severity:||normal||CC:||drwilson66, jeremy, jfclere, szg0000, thijs|
Add SSLOCSPResponderCertificateFile option.
Documentation of SSLOCSPResponderCertificateFile option
Capability to Trust OCSP Responder Self-Signed Certificates
Patch updated for 2.4.10 (and 2.4.23).
2.4.23 ocsp mod diff file
2.4.25 ocsp mod diff file
Description Dr Stephen Henson 2008-10-18 04:56:40 UTC
Created attachment 22754 [details] Add SSLOCSPResponderCertificateFile option. Some OCSP responders are configured to either exclude certificates in the response or use a certificate chain with no relationship to the CA(s) it covers such as a self signed certificate. Currently such responders cannot be used with mod_ssl because the responder certificate will fail verification. The attached patch fixes this issue by adding a new OCSPResponderCertificateFile option which contains PEM format certificates which are directly trusted. Question: is the initialisation and freeing in ssl_engine_init.c an appropriate place?
Comment 1 Dr Stephen Henson 2008-10-18 04:59:30 UTC
Created attachment 22755 [details] Documentation of SSLOCSPResponderCertificateFile option
Comment 2 Stefan Fritsch 2011-06-19 18:26:09 UTC
As a reminder: AIUI, r1137398 (Don't do OCSP checks for valid self-issued certs) needs to be changed if this patch is committed.
Comment 3 Dennis Wilson 2013-07-24 12:31:03 UTC
Created attachment 30622 [details] Capability to Trust OCSP Responder Self-Signed Certificates
Comment 4 Dennis Wilson 2013-07-24 12:34:46 UTC
This patch adds the capability to trust an OCSP responder certificate. This is similar to the openssl -VAfile option. This patch is a modification of the original submitted patch from 2008 so that it works with Apache 2.4.4. Prior to this we used a third party module, but this allows Apache to accomplish the same thing eliminating the need for the third party module.
Comment 5 dedecker 2014-05-19 12:35:27 UTC
Hello, I need this patch to use my own ocsp responder which signed responses with its own self signed certificate and I see that this bug is not already fixed. (There is no SSLOCSPResponderCertificateFile directive) Is there a possibility to get a binary of an Apache 2.4 fixed with this patch ?
Comment 6 Thijs Kinkhorst 2016-09-14 12:32:07 UTC
Created attachment 34248 [details] Patch updated for 2.4.10 (and 2.4.23).
Comment 7 Thijs Kinkhorst 2016-09-14 12:35:25 UTC
I've uploaded a version of the original patch that applies against 2.4.10 (in Debian Jessie) which we've been running without trouble for a longer while already. It also applies against 2.3.23. We need this change in order to be able to use OCSP with client certificate authentication. It would be really useful to us if it could be merged.
Comment 8 Dennis Wilson 2016-09-14 16:09:56 UTC
Created attachment 34250 [details] 2.4.23 ocsp mod diff file Attached is the diff file I used to patch apache 2.4.23. I have tested it on an Oracle Solaris 10 system. I cannot guarantee it will work on other platforms, but the code addition/change is the same since 2.4.10. There is probably a better way to just apply the diff file, but I always edit the files manually just to make sure the edits are where I want them.
Comment 9 jfclere 2017-02-06 13:10:44 UTC
merged in trunk http://svn.apache.org/r1781575 I wil propose back port once enough feedback.