Created attachment 22754 [details] Add SSLOCSPResponderCertificateFile option. Some OCSP responders are configured to either exclude certificates in the response or use a certificate chain with no relationship to the CA(s) it covers such as a self signed certificate. Currently such responders cannot be used with mod_ssl because the responder certificate will fail verification. The attached patch fixes this issue by adding a new OCSPResponderCertificateFile option which contains PEM format certificates which are directly trusted. Question: is the initialisation and freeing in ssl_engine_init.c an appropriate place?
Created attachment 22755 [details] Documentation of SSLOCSPResponderCertificateFile option
As a reminder: AIUI, r1137398 (Don't do OCSP checks for valid self-issued certs) needs to be changed if this patch is committed.
Created attachment 30622 [details] Capability to Trust OCSP Responder Self-Signed Certificates
This patch adds the capability to trust an OCSP responder certificate. This is similar to the openssl -VAfile option. This patch is a modification of the original submitted patch from 2008 so that it works with Apache 2.4.4. Prior to this we used a third party module, but this allows Apache to accomplish the same thing eliminating the need for the third party module.
Hello, I need this patch to use my own ocsp responder which signed responses with its own self signed certificate and I see that this bug is not already fixed. (There is no SSLOCSPResponderCertificateFile directive) Is there a possibility to get a binary of an Apache 2.4 fixed with this patch ?
Created attachment 34248 [details] Patch updated for 2.4.10 (and 2.4.23).
I've uploaded a version of the original patch that applies against 2.4.10 (in Debian Jessie) which we've been running without trouble for a longer while already. It also applies against 2.3.23. We need this change in order to be able to use OCSP with client certificate authentication. It would be really useful to us if it could be merged.
Created attachment 34250 [details] 2.4.23 ocsp mod diff file Attached is the diff file I used to patch apache 2.4.23. I have tested it on an Oracle Solaris 10 system. I cannot guarantee it will work on other platforms, but the code addition/change is the same since 2.4.10. There is probably a better way to just apply the diff file, but I always edit the files manually just to make sure the edits are where I want them.
merged in trunk http://svn.apache.org/r1781575 I wil propose back port once enough feedback.
Created attachment 34719 [details] 2.4.25 ocsp mod diff file This mod file shows the changes to add OCSP capabilities to Apache 2.4.25.