Bug 58826 - OCSP Stapling does not resolve DNS
Summary: OCSP Stapling does not resolve DNS
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.18
Hardware: PC Linux
: P2 critical with 3 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2016-01-08 15:01 UTC by Paul
Modified: 2020-08-04 10:32 UTC (History)
4 users (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Paul 2016-01-08 15:01:37 UTC
I have configured an OCSP responder with OpenSSL 1.0.2d for testing purposes. 
In Apache 2.4.18 a have the fallowing configurations:

SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)
SSLStaplingStandardCacheTimeout 60
#SSLStaplingForceURL http://cafe.ro

And in the /etc/hosts file I have:       localhost cafe.ro

When the OCSP URL is set to Apache send OCSP Request messages so everything seems to be OK.

The problem is that when the OCSP URL is set to http://cafe.ro Apache does not send OCSP Requests anymore so I assume that it doesn't resolve DNS.

Does anybody know which is the problem??

These errors are from apache error.log

[ssl:error] [pid 12647:tid 139684667709184] (111)Connection refused: [client] AH01974: could not connect to OCSP responder 'cafe.ro'
[ssl:error] [pid 12647:tid 139684667709184] AH01941: stapling_renew_response: responder error
Comment 1 Luca Toscano 2017-05-08 17:28:48 UTC
Hi Paul,

sorry for the delay. If you still haven't resolved the issue, can you try setting the loglevel to debug (https://httpd.apache.org/docs/2.4/mod/core.html#loglevel) to see the result of this log?

    /* establish a connection to the OCSP responder */
    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01973)
                  "connecting to %s '%s'",
                  proxy_uri ? "proxy" : "OCSP responder",

As far as I can see the cafe.ro should be resolved, and in case of failure you should have found an error like the following in your logs:

    if (rv) {
        ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01972)
                      "could not resolve address of %s %s",
                      proxy_uri ? "proxy" : "OCSP responder",
        return NULL;

Are you sure that cafe.ro is correctly resolving to on your system?
Comment 2 Joe Orton 2020-08-04 10:32:11 UTC
There is nothing obviously wrong with the code, if there is a reproducible problem with 2.4.43 please reopen and provide the requested debug-level log output.