Bug 58826

Summary: OCSP Stapling does not resolve DNS
Product: Apache httpd-2 Reporter: Paul <paul.necsoiu>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED WORKSFORME    
Severity: critical CC: cbarbara, not.waf, szg0000, toscano.luca
Priority: P2    
Version: 2.4.18   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Paul 2016-01-08 15:01:37 UTC 
I have configured an OCSP responder with OpenSSL 1.0.2d for testing purposes. 
In Apache 2.4.18 a have the fallowing configurations:

SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)
SSLStaplingStandardCacheTimeout 60
SSLStaplingForceURL http://127.0.0.1
#SSLStaplingForceURL http://cafe.ro

And in the /etc/hosts file I have:

127.0.0.1       localhost cafe.ro

When the OCSP URL is set to http://127.0.0.1 Apache send OCSP Request messages so everything seems to be OK.

The problem is that when the OCSP URL is set to http://cafe.ro Apache does not send OCSP Requests anymore so I assume that it doesn't resolve DNS.

Does anybody know which is the problem??

These errors are from apache error.log

[ssl:error] [pid 12647:tid 139684667709184] (111)Connection refused: [client 127.0.0.1:48742] AH01974: could not connect to OCSP responder 'cafe.ro'
[ssl:error] [pid 12647:tid 139684667709184] AH01941: stapling_renew_response: responder error
Comment 1 Luca Toscano 2017-05-08 17:28:48 UTC 
Hi Paul,

sorry for the delay. If you still haven't resolved the issue, can you try setting the loglevel to debug (https://httpd.apache.org/docs/2.4/mod/core.html#loglevel) to see the result of this log?

    /* establish a connection to the OCSP responder */
    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01973)
                  "connecting to %s '%s'",
                  proxy_uri ? "proxy" : "OCSP responder",
                  uri->hostinfo);


As far as I can see the cafe.ro should be resolved, and in case of failure you should have found an error like the following in your logs:

    if (rv) {
        ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01972)
                      "could not resolve address of %s %s",
                      proxy_uri ? "proxy" : "OCSP responder",
                      next_hop_uri->hostinfo);
        return NULL;


Are you sure that cafe.ro is correctly resolving to 127.0.0.1 on your system?
Comment 2 Joe Orton 2020-08-04 10:32:11 UTC 
There is nothing obviously wrong with the code, if there is a reproducible problem with 2.4.43 please reopen and provide the requested debug-level log output.