Bug 60457 - SSLOCSPEnable setting is not inherited from server config into vhost config
Summary: SSLOCSPEnable setting is not inherited from server config into vhost config
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.23
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2016-12-08 19:33 UTC by Robert Bost
Modified: 2016-12-08 19:33 UTC (History)
0 users

patch proposal (909 bytes, patch)
2016-12-08 19:33 UTC, Robert Bost
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Bost 2016-12-08 19:33:07 UTC
Created attachment 34508 [details]
patch proposal

When SSLOCSPEnable is set to On in global/server configuration, it is not inherited by VirtualHosts. If I move the configurations inside the VirtualHost, failure happens as expected and SSL handshake is not completed. A patch is attached that works for me. Patch was generated for 2.4.23.


This is a simplified reproducer that does not actually perform OCSP check but you can see logging where it at least gets into OCSP code:

1. Install httpd and mod_ssl
2. Add the following configurations in ssl.conf but outside of the VirtualHost. I did have to create a CA and client cert but the Responder URL goes to nowhere.

 SSLCACertificateFile /tmp/cacert.crt
 SSLVerifyClient require
 SSLVerifyDepth 1
 SSLOCSPDefaultResponder http://localhost:9999/
 SSLOCSPOverrideResponder On

3. Send request with a certificate signed by the /tmp/cacert.crt

 # curl -I -E ./cert.crt:test --key ./privkey.key -k https://localhost/
 HTTP/1.1 200 OK

4. The request above succeeds but should not because the OCSP responder is unreachable and cert cannot be validated.