Bug 60182

Summary: SSLStaplingFakeTryLater Deviates From Documented Behavior of Only Being Effective When SSLStaplingReturnResponderErrors is On
Product: Apache httpd-2 Reporter: Andrew Pietila <a.pietila>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal CC: toscano.luca
Priority: P2    
Version: 2.4.23   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Andrew Pietila 2016-09-28 01:21:44 UTC
In modules/ssl/ssl_util_stapling.c, the following code is used to determine whether to throw an OCSP TryLater failure:

    *prsp = modssl_dispatch_ocsp_request(&uri, mctx->stapling_responder_timeout,
                                         req, conn, vpool);


    if (!*prsp) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01941)
                     "stapling_renew_response: responder error");
        if (mctx->stapling_fake_trylater) {
            *prsp = OCSP_response_create(OCSP_RESPONSE_STATUS_TRYLATER, NULL);
        else {
            goto done;

The mctx->stapling_fake_trylater corresponds with configuration option SSLStaplingFakeTryLater. Per < https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslstaplingfaketrylater >:

Only effective if SSLStaplingReturnResponderErrors is also enabled.

However, the configuration variable SSLStaplingReturnResponderErrors is not referenced in the above code. As a result, the fake TryLater is sent if SSLStaplingFakeTryLater is either enabled or non-existant in the configuration file, regardless of presence or absence of SSLStaplingReturnResponderErrors. This causes connectivity issues with Firefox when, say, DNS for the OCSP responder fails.