You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2022/05/20 08:48:34 UTC

[Bug 66078] New: mod_md should not attach outdated OCSP response

https://bz.apache.org/bugzilla/show_bug.cgi?id=66078

            Bug ID: 66078
           Summary: mod_md should not attach outdated OCSP response
           Product: Apache httpd-2
           Version: 2.4.53
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_md
          Assignee: bugs@httpd.apache.org
          Reporter: odi@odi.ch
  Target Milestone: ---

If upstream OCSP responds with expired data (happens when it is unable to
update the signatures in time), then mod_md attaches that outdated data to the
SSL handshake, which leads to error messages in the client. This happens
approximately once per year in some commercial providers during a few hours.

Better not attach OCSP responses (and actively remove them from cache) when
they have expired.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org