Bug 64135 - OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts
Summary: OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/ti...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.41
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2020-02-11 16:26 UTC by Giovanni Bechis
Modified: 2020-02-21 19:02 UTC (History)
0 users



Attachments
Ocsp strace (5.56 KB, text/x-log)
2020-02-11 16:26 UTC, Giovanni Bechis
Details
Possible fix (560 bytes, patch)
2020-02-11 17:10 UTC, Giovanni Bechis
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Giovanni Bechis 2020-02-11 16:26:03 UTC
Created attachment 37010 [details]
Ocsp strace

When httpd(8) sends ocsp requests via mod_ssl and the OCSP server offers keep-alive option, the connection is not immediately closed after OCSP response but the server waits for keep-alive connection to expire.

In the log file attached, the actual stapling response is received at 1556058446.291592, but the connection isn't closed until 1556058456.291508 (10 seconds later) because of the keep-alive timeout of exactly 10 seconds.
Comment 1 Giovanni Bechis 2020-02-11 17:10:07 UTC
Created attachment 37011 [details]
Possible fix

A possible fix could be to force a connection closure as soon as a correct reply from the OCSP server has arrived, not sure if it's done in the correct code-path anyway.
Comment 2 Ruediger Pluem 2020-02-13 14:52:22 UTC
(In reply to Giovanni Bechis from comment #1)
> Created attachment 37011 [details]
> Possible fix
> 
> A possible fix could be to force a connection closure as soon as a correct
> reply from the OCSP server has arrived, not sure if it's done in the correct
> code-path anyway.

Maybe I misunderstood the issue. You are talking about the HTTP connection to the OCSP server / responder, correct? But the patch disables the keepalive on the connection to the client (e.g. the browser). If you want to disable the keepalive on the connection to the OCSP server / have it closed after the request IMHO the following patch should do it:

Index: ssl_util_ocsp.c
===================================================================
--- ssl_util_ocsp.c     (revision 1873895)
+++ ssl_util_ocsp.c     (working copy)
@@ -46,6 +46,7 @@
     BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
                "Host: %s:%d\r\n"
                "Content-Type: application/ocsp-request\r\n"
+               "Connection: close\r\n"
                "Content-Length: %d\r\n"
                "\r\n",
                uri->path ? uri->path : "/",
Comment 3 Giovanni Bechis 2020-02-13 15:55:44 UTC
You understood perfectly and your diff makes absolutely sense.
Comment 4 Ruediger Pluem 2020-02-14 08:12:46 UTC
(In reply to Giovanni Bechis from comment #3)
> You understood perfectly and your diff makes absolutely sense.

Can you confirm that the patch fixes your issue?
Comment 5 Giovanni Bechis 2020-02-14 09:08:16 UTC
Yes, the patch fixes the issue.
Comment 6 Ruediger Pluem 2020-02-14 09:49:09 UTC
Commited to trunk as r1874007.