Bug 60182 - SSLStaplingFakeTryLater Deviates From Documented Behavior of Only Being Effective When SSLStaplingReturnResponderErrors is On
Summary: SSLStaplingFakeTryLater Deviates From Documented Behavior of Only Being Effec...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.23
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2016-09-28 01:21 UTC by Andrew Pietila
Modified: 2017-05-23 12:08 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Pietila 2016-09-28 01:21:44 UTC
In modules/ssl/ssl_util_stapling.c, the following code is used to determine whether to throw an OCSP TryLater failure:

    *prsp = modssl_dispatch_ocsp_request(&uri, mctx->stapling_responder_timeout,
                                         req, conn, vpool);


    if (!*prsp) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01941)
                     "stapling_renew_response: responder error");
        if (mctx->stapling_fake_trylater) {
            *prsp = OCSP_response_create(OCSP_RESPONSE_STATUS_TRYLATER, NULL);
        else {
            goto done;

The mctx->stapling_fake_trylater corresponds with configuration option SSLStaplingFakeTryLater. Per < https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslstaplingfaketrylater >:

Only effective if SSLStaplingReturnResponderErrors is also enabled.

However, the configuration variable SSLStaplingReturnResponderErrors is not referenced in the above code. As a result, the fake TryLater is sent if SSLStaplingFakeTryLater is either enabled or non-existant in the configuration file, regardless of presence or absence of SSLStaplingReturnResponderErrors. This causes connectivity issues with Firefox when, say, DNS for the OCSP responder fails.