Bug 46037 - Configuration of trusted OCSP responder certificates
Summary: Configuration of trusted OCSP responder certificates
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.25
Hardware: All All
: P2 normal with 4 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2008-10-18 04:56 UTC by Dr Stephen Henson
Modified: 2017-03-02 11:21 UTC (History)
5 users (show)

Add SSLOCSPResponderCertificateFile option. (6.96 KB, patch)
2008-10-18 04:56 UTC, Dr Stephen Henson
Details | Diff
Documentation of SSLOCSPResponderCertificateFile option (999 bytes, patch)
2008-10-18 04:59 UTC, Dr Stephen Henson
Details | Diff
Capability to Trust OCSP Responder Self-Signed Certificates (8.54 KB, text/plain)
2013-07-24 12:31 UTC, Dennis Wilson
Patch updated for 2.4.10 (and 2.4.23). (8.11 KB, patch)
2016-09-14 12:32 UTC, Thijs Kinkhorst
Details | Diff
2.4.23 ocsp mod diff file (9.50 KB, text/plain)
2016-09-14 16:09 UTC, Dennis Wilson
2.4.25 ocsp mod diff file (9.35 KB, text/plain)
2017-02-06 14:31 UTC, Dennis Wilson

Note You need to log in before you can comment on or make changes to this bug.
Description Dr Stephen Henson 2008-10-18 04:56:40 UTC
Created attachment 22754 [details]
Add SSLOCSPResponderCertificateFile option.

Some OCSP responders are configured to either exclude certificates in the response or use a certificate chain with no relationship to the CA(s) it covers such as a self signed certificate.

Currently such responders cannot be used with mod_ssl because the responder certificate will fail verification.

The attached patch fixes this issue by adding a new OCSPResponderCertificateFile option which contains PEM format certificates which are directly trusted. 

Question: is the initialisation and freeing in ssl_engine_init.c an appropriate place?
Comment 1 Dr Stephen Henson 2008-10-18 04:59:30 UTC
Created attachment 22755 [details]
Documentation of SSLOCSPResponderCertificateFile option
Comment 2 Stefan Fritsch 2011-06-19 18:26:09 UTC
As a reminder: AIUI, r1137398 (Don't do OCSP checks for valid self-issued certs) needs to be changed if this patch is committed.
Comment 3 Dennis Wilson 2013-07-24 12:31:03 UTC
Created attachment 30622 [details]
Capability to Trust OCSP Responder Self-Signed Certificates
Comment 4 Dennis Wilson 2013-07-24 12:34:46 UTC
This patch adds the capability to trust an OCSP responder certificate.  This is similar to the openssl -VAfile option.  This patch is a modification of the original submitted patch from 2008 so that it works with Apache 2.4.4.  Prior to this we used a third party module, but this allows Apache to accomplish the same thing eliminating the need for the third party module.
Comment 5 dedecker 2014-05-19 12:35:27 UTC
I need this patch to use my own ocsp responder which signed responses with its own self signed certificate and I see that this bug is not already fixed. (There is no SSLOCSPResponderCertificateFile directive) 

Is there a possibility to get a binary of an Apache 2.4 fixed with this patch ?
Comment 6 Thijs Kinkhorst 2016-09-14 12:32:07 UTC
Created attachment 34248 [details]
Patch updated for 2.4.10 (and 2.4.23).
Comment 7 Thijs Kinkhorst 2016-09-14 12:35:25 UTC
I've uploaded a version of the original patch that applies against 2.4.10 (in Debian Jessie) which we've been running without trouble for a longer while already. It also applies against 2.3.23.

We need this change in order to be able to use OCSP with client certificate authentication. It would be really useful to us if it could be merged.
Comment 8 Dennis Wilson 2016-09-14 16:09:56 UTC
Created attachment 34250 [details]
2.4.23 ocsp mod diff file

Attached is the diff file I used to patch apache 2.4.23.  I have tested it on an Oracle Solaris 10 system.  I cannot guarantee it will work on other platforms, but the code addition/change is the same since 2.4.10.  There is probably a better way to just apply the diff file, but I always edit the files manually just to make sure the edits are where I want them.
Comment 9 jfclere 2017-02-06 13:10:44 UTC
merged in trunk http://svn.apache.org/r1781575
I wil propose back port once enough feedback.
Comment 10 Dennis Wilson 2017-02-06 14:31:12 UTC
Created attachment 34719 [details]
2.4.25 ocsp mod diff file

This mod file shows the changes to add OCSP capabilities to Apache 2.4.25.