Bug 60457

Summary: SSLOCSPEnable setting is not inherited from server config into vhost config
Product: Apache httpd-2 Reporter: Robert Bost <rbost>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.4.23   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: patch proposal

Description Robert Bost 2016-12-08 19:33:07 UTC 
Created attachment 34508 [details]
patch proposal

When SSLOCSPEnable is set to On in global/server configuration, it is not inherited by VirtualHosts. If I move the configurations inside the VirtualHost, failure happens as expected and SSL handshake is not completed. A patch is attached that works for me. Patch was generated for 2.4.23.

Reproducer:

This is a simplified reproducer that does not actually perform OCSP check but you can see logging where it at least gets into OCSP code:

1. Install httpd and mod_ssl
2. Add the following configurations in ssl.conf but outside of the VirtualHost. I did have to create a CA and client cert but the Responder URL goes to nowhere.

 SSLCACertificateFile /tmp/cacert.crt
 SSLVerifyClient require
 SSLVerifyDepth 1
 SSLOCSPEnable On
 SSLOCSPDefaultResponder http://localhost:9999/
 SSLOCSPOverrideResponder On

3. Send request with a certificate signed by the /tmp/cacert.crt

 # curl -I -E ./cert.crt:test --key ./privkey.key -k https://localhost/
 HTTP/1.1 200 OK

4. The request above succeeds but should not because the OCSP responder is unreachable and cert cannot be validated.