Bug 63171 - SSLProxy: SSLOCSPResponderCertificateFile not loaded on HTTP to HTTPS proxy
Summary: SSLProxy: SSLOCSPResponderCertificateFile not loaded on HTTP to HTTPS proxy
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.38
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2019-02-13 10:33 UTC by Anton Tieleman
Modified: 2019-11-25 12:49 UTC (History)
1 user (show)

Patch against tag 2.4.38 (1.04 KB, patch)
2019-02-13 10:33 UTC, Anton Tieleman
Details | Diff
CA file for testing (Comodo RSA root + intermediate) (4.14 KB, application/x-x509-ca-cert)
2019-02-13 10:34 UTC, Anton Tieleman

Note You need to log in before you can comment on or make changes to this bug.
Description Anton Tieleman 2019-02-13 10:33:38 UTC
Created attachment 36434 [details]
Patch against tag 2.4.38

I have configured an Apache HTTP server as outgoing proxy in order to connect to an external system using Mutual TLS. I use the SSLProxyEngine to facilitate this configuration. For the time being, this proxy listens on HTTP. The external system uses a Comodo-issued certificate. Comodo’s OCSP responder does not send its certificate, since the OCSP response is signed with the same certificate as the server certificate. This makes the default OCSP validation fail.

In order to provide the responder’s certificate to OpenSSL, I have configured a SSLOCSPResponderCertificateFile in the relevant VirtualHost. However, in this HTTP to HTTPS setup, the file is never read/used.

I looked at mod_ssl’s sources and observed that the OCSP trusted certificates are loaded in ssl_util_ocsp.c/ssl_init_ocsp_certificates. This method is however never called in proxy configuration (see ssl_engine_init.c/ssl_init_ConfigureServer).

I discovered this problem on an Apachehaus 2.4.37 build for Windows. I reproduced it on a build from source using 2.4.38 and a AWS Ubuntu 18.04 VM.

Reproduction with 2.4.38:
- ./configure --enable-proxy --enable-ssl --prefix=/opt/apache2
- Copy attached trusted-ca.pem to conf/ssl
- httpd.conf:
    - Enable mod_proxy.so, mod_proxy_http.so, mod_ssl.so
    - Add virtual host below

<VirtualHost *:80>
  LogLevel ssl:trace5

  SSLProxyEngine On
  SSLProxyProtocol -all +TLSv1.2
  # Verify remote server certificate
  SSLProxyVerify require
  SSLProxyVerifyDepth 2

  # Comodo responder does not accept nonce
  SSLOCSPUseRequestNonce off
  # Certificate chain
  SSLProxyCACertificateFile conf/ssl/trusted-ca.pem
  SSLOCSPResponderCertificateFile conf/ssl/trusted-ca.pem
  ProxyPass / https://oneton.nl/

- Start the server
- curl http://localhost/
- The server returns a 500 error
- Check the error log. It does not mention “Configuring Trusted OCSP certificates” (which is the debug logging output for ssl_util_ocsp.c/ssl_init_ocsp_certificates)

- Apply attached patch to 2.4.38 source directory (modules/ssl/ssl_engine_init.c)
- Build and install
- Try again, the page is loaded and the error log shows that:
  - Certificates are loaded
  - OCSP lookup succeeds
Comment 1 Anton Tieleman 2019-02-13 10:34:14 UTC
Created attachment 36435 [details]
CA file for testing (Comodo RSA root + intermediate)
Comment 2 Konrad Botor 2019-11-25 12:49:36 UTC
I encountered the same problem with httpd 2.4.41.

Will the patch for this be applied to any future releases?