You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/02/27 02:59:55 UTC
[Bug 56192] New: SSLUseStapling does not work if default host has it
disabled
https://issues.apache.org/bugzilla/show_bug.cgi?id=56192
Bug ID: 56192
Summary: SSLUseStapling does not work if default host has it
disabled
Product: Apache httpd-2
Version: 2.4.7
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: h.reindl@thelounge.net
using "SSLUseStapling On" on a SNI vhost does not work if the first ssl-enabled
vhost has "SSLUseStapling Off" for example if the first one has a self-signed
certificate
you can verify that behavior with https://www.ssllabs.com/ssltest/
Protocol Details -> OCSP stapling: No
verified with the developer of the ssl-test where i first reported a SNI
problem of the test
-------- Original-Nachricht --------
Betreff: Re: [ssllabs-discuss] incorrect SNI usage
Datum: Tue, 04 Feb 2014 21:29:30 +0000
Von: Ivan Ristic <iv...@gmail.com>
An: ssllabs-discuss@lists.sourceforge.net
On 04/02/2014 18:21, Reindl Harald wrote:
> hi
>
> i just realized "OCSP stapling No" one one of our servers
> well, the reason is "SSLUseStapling Off" on the default
> host which is more or less a honeypot
>
> the vhost which was checkd has this value enabled
> after enable it on the default host -> Yes
>
> both a working fine even with MSIE6 because they use
> the same wildcard-certificate and are in the same domain
My OCSP stapling checks do use SNI, but it's possible that the SNI
information does not match the virtual host.
If you can, please disable OCSP stapling in the default server and send
me the hostname; I will check it
______________________________________
$ openssl s_client -connect secure.thelounge.net:443 -status -servername
secure.thelounge.net | grep OCSP
OCSP response: no response sent
I've heard of an Nginx bug that requires OCSP Stapling to be enabled in
the main server and not in a virtual host, but maybe Apache has the same
problem?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56192] SSLUseStapling does not work if default host has it
disabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56192
Kaspar Brand <as...@velox.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Hardware|PC |All
Resolution|--- |INVALID
OS|Linux |All
--- Comment #1 from Kaspar Brand <as...@velox.ch> ---
Should be addressed with the fix for this OpenSSL issue:
http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3178
It's not yet in any released version of 1.0.0 or 1.0.1, but you could try 1.0.2
Beta 1 (if that doesn't fix the problem, feel free to reopen this bug).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org