Created attachment 36434 [details] Patch against tag 2.4.38 I have configured an Apache HTTP server as outgoing proxy in order to connect to an external system using Mutual TLS. I use the SSLProxyEngine to facilitate this configuration. For the time being, this proxy listens on HTTP. The external system uses a Comodo-issued certificate. Comodo’s OCSP responder does not send its certificate, since the OCSP response is signed with the same certificate as the server certificate. This makes the default OCSP validation fail. In order to provide the responder’s certificate to OpenSSL, I have configured a SSLOCSPResponderCertificateFile in the relevant VirtualHost. However, in this HTTP to HTTPS setup, the file is never read/used. I looked at mod_ssl’s sources and observed that the OCSP trusted certificates are loaded in ssl_util_ocsp.c/ssl_init_ocsp_certificates. This method is however never called in proxy configuration (see ssl_engine_init.c/ssl_init_ConfigureServer). I discovered this problem on an Apachehaus 2.4.37 build for Windows. I reproduced it on a build from source using 2.4.38 and a AWS Ubuntu 18.04 VM. Reproduction with 2.4.38: - ./configure --enable-proxy --enable-ssl --prefix=/opt/apache2 - Copy attached trusted-ca.pem to conf/ssl - httpd.conf: - Enable mod_proxy.so, mod_proxy_http.so, mod_ssl.so - Add virtual host below <VirtualHost *:80> LogLevel ssl:trace5 SSLProxyEngine On SSLProxyProtocol -all +TLSv1.2 # Verify remote server certificate SSLProxyVerify require SSLProxyVerifyDepth 2 # Comodo responder does not accept nonce SSLOCSPUseRequestNonce off # Certificate chain SSLProxyCACertificateFile conf/ssl/trusted-ca.pem SSLOCSPResponderCertificateFile conf/ssl/trusted-ca.pem ProxyPass / https://oneton.nl/ </VirtualHost> - Start the server - curl http://localhost/ - The server returns a 500 error - Check the error log. It does not mention “Configuring Trusted OCSP certificates” (which is the debug logging output for ssl_util_ocsp.c/ssl_init_ocsp_certificates) - Apply attached patch to 2.4.38 source directory (modules/ssl/ssl_engine_init.c) - Build and install - Try again, the page is loaded and the error log shows that: - Certificates are loaded - OCSP lookup succeeds
Created attachment 36435 [details] CA file for testing (Comodo RSA root + intermediate)
I encountered the same problem with httpd 2.4.41. Will the patch for this be applied to any future releases?