You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/02/09 10:13:11 UTC
DO NOT REPLY [Bug 50740] New: Enable OCSP Stapling by default
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
Summary: Enable OCSP Stapling by default
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: rob@comodo.com
Currently, OCSP Stapling is disabled by default. To enable it, the
"SSLUseStapling On" directive must be added to the config, along with another
directive that enables an OCSP Stapling Cache.
OCSP Stapling benefits pretty much everyone:
- End-users: Improved privacy and faster SSL/TLS handshakes, because the
client software does not need to contact a third-party OCSP Responder to get
the current status of the end-entity certificate.
- CAs: Decreased load, bandwidth requirements and cost for operating an OCSP
Responder infrastructure.
- Websites: No direct benefits, but they often care about their end-users'
interests.
My concern is that many webmasters will not add the necessary config directives
to enable OCSP Stapling, even though there is no downside to enabling it. I
imagine that many webmasters have probably never even heard of OCSP Stapling!
Therefore, I propose that mod_ssl should enable OCSP Stapling by default,
without any config directives needing to be specified. (Aside: this would
match the behaviour of IIS 7.x on Windows Vista/2008 Server and newer).
The OCSP Stapling Cache would need to be created automatically with some
sensible default values.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #4 from Koichi Sugimoto <ko...@globalsign.co.jp> 2011-06-07 02:54:31 UTC ---
I've now been investigating if the stapling correctry works.
The build successfully conpleted and the apache process invoked without error.
But when I access to the apache via IE8 and firefox 3.5, no OCSP request comes
from the apache.
The browser's behaviour:
IE8 directly requests to the OCSP responder.
Firefox shows "Invalid OCSP signing certificate in OCSP response." and stops
the connection.
The following is my environment:
The version of the apache is httpd-2.3.12-beta.
The openssl version is 1.0.0.
The OS is CentOS 5.
The corresponding configuration has the following fields:
SSLStaplingCache dbm:/tmp/staples
SSLUseStapling on
SSLCACertificateFile "/usr/local/apache_ocsp/conf/server-ca.crt"
The following error log was generated by the apache:
[Mon Jun 06 19:01:50.275314 2011] [ssl:error] [pid 17404:tid 3075525520]
stapling_check_response: response times invalid
[Mon Jun 06 19:01:50.275376 2011] [ssl:error] [pid 17404:tid 3075525520]
stapling_renew_response: error in retreived response!
[Mon Jun 06 19:01:50.275394 2011] [ssl:error] [pid 17404:tid 3075525520]
stapling_cache_response: OCSP response session store error!
[Mon Jun 06 19:01:50.275404 2011] [ssl:error] [pid 17404:tid 3075525520]
stapling_renew_response: error caching response!
After that I've adjusted the machine time, but nothing changed.
Is there any code fix required ?
Or some additional setting ?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #13 from Koichi Sugimoto <ko...@globalsign.co.jp> 2011-07-05 09:36:53 UTC ---
Hello Rob,
You are right.
It seems to be a Chrome's bug.
I observed the network packets with Wireshark.
Then, the difference is to send the CA certificate that issued the OCSP signing
certificate.
If the ocsp response does not include the CA certificate in it, then, Chrome
sends ocsp request directry to the OCSP responder.
It was no relation to IIS.
Regards,
Koichi Sugimoto.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #8 from Rob Stradling <ro...@comodo.com> 2011-06-13 09:37:51 UTC ---
(In reply to comment #2)
> Does it work? Does the caching work? I'd like to see results of people
> testing the code in anger before inflicting it on the masses.
Comodo have setup a test server with OCSP stapling enabled:
https://httpd-2.3-dev.comodoca.com
All seems well. IE and Opera connect without displaying any warnings.
To confirm that Opera actually recognizes and uses the stapled OCSP Response, I
edited my /etc/hosts file to block access to the OCSP Responder
(ocsp.comodoca.com). Navigating to the URL above proceeded without error,
whereas navigating to a different server that doesn't have OCSP stapling
enabled caused Opera to complain that the OCSP Responder was unreachable.
Our OCSP Responder software is an in-house Apache C module.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #15 from Kai Engert <ka...@kuix.de> 2011-11-08 19:04:45 UTC ---
(a)
I've installed Apache 2.3.14-beta with OCSP stapling enabled at:
https://kuix.de:5143/ - good certificate
https://kuix.de:5144/ - revoked certificate
Thanks to StartCom for providing me with free certificates, and also for
providing a free revocation service.
(b)
Note to other CAs, (as inspired by Gerv's and Joe's recommendation to test
against additional CA vendors):
I'm willing to install additional certificates - good and revoked - at
additional ports on my server.
If you operate a CA trusted by Firefox, your certificates include AIA OCSP, and
you would like to contribute one good and one revoked certificate to me for
free, please get in contact with me, and I will send you two CSRs for
domain/hostname kuix.de
(c)
I've started to enhance the NSS client tools [1] to request, retrieve and dump
OCSP stapling information.
My test against (a) was successful.
(d)
I've performed initial testing using Firefox, based on a work-in-progress patch
[2] that implement OCSP stapling in the NSS library.
My test against (a) was successful.
(e)
I've also tested using "openssl s_client -status ..." but I assume this is the
same test that was performed while developing OCSP stapling support for Apache.
Kai
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=700701
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=360420
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #11 from Rob Stradling <ro...@comodo.com> 2011-06-24 14:03:14 UTC ---
(In reply to comment #10)
<snip>
> But Chrome 12.0 requests directly to the OCSP responder, even if apache replies
> ocsp response as certificate status.
> I do not know whether it is Chrome's bug or some interoperability problem.
I suspect that this is an issue with Chrome. Last I heard, support for OCSP
Stapling in Chrome is somewhat patchy and untested. See
https://bugzilla.mozilla.org/show_bug.cgi?id=360420#c16
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
Tom Ritter <to...@ritter.vg> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tom@ritter.vg
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
Brian Smith <br...@briansmith.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |brian@briansmith.org
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
Mark Nottingham <mn...@mnot.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mnot@mnot.net
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #3 from Rob Stradling <ro...@comodo.com> 2011-02-09 04:47:00 EST ---
(In reply to comment #2)
> I'd like to see results of people testing the code in anger before inflicting
> it on the masses.
Don't "the masses" generally avoid development branches (such as 2.3.x)?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
Paul Tiemann <is...@ourdetour.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |issues.apache.org@ourdetour
| |.com
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #17 from Joe Orton <jo...@redhat.com> 2011-11-16 16:06:54 UTC ---
Thanks a lot Kai!
Yes, if you use shmcb: for the shared cache it is expected that file will not
exist in the filesystem; the filename is used merely as a unique key for the
shared memory segment.
The OCSP response will be renewed whenever it expires from the cache, which
should follow the setting of:
http://httpd.apache.org/docs/2.3/mod/mod_ssl.html#sslsessioncachetimeout
http://httpd.apache.org/docs/2.3/mod/mod_ssl.html#sslstaplingerrorcachetimeout
If you set:
http://httpd.apache.org/docs/2.3/mod/mod_ssl.html#sslstaplingreturnrespondererrors
to "off", it should not send staple the "try later" responses, if I am
understanding things correctly.
We don't have any caching across restarts; I'm not sure whether the utility of
that is worth the extra complexity; fetching a new OCSP response should be
cheap anyway. Perhaps we could have a way to populate the cache at startup, or
else, fail.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #16 from Kai Engert <ka...@kuix.de> 2011-11-08 19:12:44 UTC ---
While I said, my tests worked fine, let me provide some more details.
I'm using this configuration:
SSLStaplingCache "shmcb:/home/bpache/local/logs/stapling_scache(512000)"
but I don't see any corresponding file created.
Is this expected?
Do I need to manually initialize it?
Sometimes an OCSP server will reply with "try later", and Apache will send this
status to clients. Maybe that's not helpful, and Apache should rather skip
sending OCSP information.
I think Apache should cache the most recent successful OCSP information it has
retrieved, and save it across server restarts.
I saw that Apache stapled a good response, and after restarting the server, it
stapled a "try later" response.
This might mean that caching is not yet working, or that my configuration is
incorrect.
Question: How often will Apache refresh the OCSP information?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #6 from Koichi Sugimoto <ko...@globalsign.co.jp> 2011-06-10 13:10:40 UTC ---
(In reply to comment #5)
> What version of Windows are you using?
> IE8 on XP doesn't support OCSP Stapling.
IE8 on Windows7 I used.
> > Firefox shows "Invalid OCSP signing certificate in OCSP response." and stops
> > the connection.
> No version of Firefox supports OCSP Stapling yet.
OK.
I see.
> > The following error log was generated by the apache:
> > [Mon Jun 06 19:01:50.275314 2011] [ssl:error] [pid 17404:tid 3075525520]
> > stapling_check_response: response times invalid
> I wonder if the "response times invalid" error from Apache and the "Invalid
> OCSP signing certificate" error from Firefox are related.
> Has your OCSP Signing Certificate expired, by any chance?
> Is your httpd-2.3.12-beta server publicly accessible?
Sorry, my server is at local.
I'm sure that the certificate is valid.
But my ocsp responder is integrated type.
http://www.ietf.org/id/draft-ietf-pkix-rfc2560bis-03.txt
Does the apache support this type of ocsp responder?
The following is the dump of my ocsp response:
E:\Public>openssl asn1parse -in resp.der -inform der -offset 30
0:d=0 hl=4 l=2297 cons: SEQUENCE
4:d=1 hl=3 l= 168 cons: SEQUENCE
7:d=2 hl=2 l= 22 cons: cont [ 2 ]
9:d=3 hl=2 l= 20 prim: OCTET STRING [HEX
DUMP]:98B84D5851AC6AC878CEF3
6D603630F42F376AC6
31:d=2 hl=2 l= 15 prim: GENERALIZEDTIME :20300610125444Z
48:d=2 hl=2 l= 88 cons: SEQUENCE
50:d=3 hl=2 l= 86 cons: SEQUENCE
52:d=4 hl=2 l= 65 cons: SEQUENCE
54:d=5 hl=2 l= 9 cons: SEQUENCE
56:d=6 hl=2 l= 5 prim: OBJECT :sha1
63:d=6 hl=2 l= 0 prim: NULL
65:d=5 hl=2 l= 20 prim: OCTET STRING [HEX
DUMP]:45C673D23D1D36BF2BC964
CEDEEAF31633815019
87:d=5 hl=2 l= 20 prim: OCTET STRING [HEX
DUMP]:98B84D5851AC6AC878CEF3
6D603630F42F376AC6
109:d=5 hl=2 l= 8 prim: INTEGER :233EBDF465BFE99F
119:d=4 hl=2 l= 0 prim: cont [ 0 ]
121:d=4 hl=2 l= 15 prim: GENERALIZEDTIME :20300610125444Z
138:d=2 hl=2 l= 35 cons: cont [ 1 ]
140:d=3 hl=2 l= 33 cons: SEQUENCE
142:d=4 hl=2 l= 31 cons: SEQUENCE
144:d=5 hl=2 l= 9 prim: OBJECT :OCSP Nonce
155:d=5 hl=2 l= 18 prim: OCTET STRING [HEX
DUMP]:0410C4CC2C3B761AB9D2AB
EB781E9D5A23C1
175:d=1 hl=2 l= 13 cons: SEQUENCE
177:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
188:d=2 hl=2 l= 0 prim: NULL
190:d=1 hl=4 l= 257 prim: BIT STRING
451:d=1 hl=4 l=1846 cons: cont [ 0 ]
455:d=2 hl=4 l=1842 cons: SEQUENCE
459:d=3 hl=4 l= 984 cons: SEQUENCE
463:d=4 hl=4 l= 704 cons: SEQUENCE
467:d=5 hl=2 l= 3 cons: cont [ 0 ]
469:d=6 hl=2 l= 1 prim: INTEGER :02
472:d=5 hl=2 l= 8 prim: INTEGER :583314EC6A82AAEF
482:d=5 hl=2 l= 13 cons: SEQUENCE
484:d=6 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
495:d=6 hl=2 l= 0 prim: NULL
497:d=5 hl=2 l= 71 cons: SEQUENCE
499:d=6 hl=2 l= 20 cons: SET
501:d=7 hl=2 l= 18 cons: SEQUENCE
503:d=8 hl=2 l= 3 prim: OBJECT :commonName
508:d=8 hl=2 l= 11 prim: PRINTABLESTRING :TestRootCA1
521:d=6 hl=2 l= 13 cons: SET
523:d=7 hl=2 l= 11 cons: SEQUENCE
525:d=8 hl=2 l= 3 prim: OBJECT :organizationalUnitName
530:d=8 hl=2 l= 4 prim: PRINTABLESTRING :Test
536:d=6 hl=2 l= 19 cons: SET
538:d=7 hl=2 l= 17 cons: SEQUENCE
540:d=8 hl=2 l= 3 prim: OBJECT :organizationName
545:d=8 hl=2 l= 10 prim: PRINTABLESTRING :GlobalSign
557:d=6 hl=2 l= 11 cons: SET
559:d=7 hl=2 l= 9 cons: SEQUENCE
561:d=8 hl=2 l= 3 prim: OBJECT :countryName
566:d=8 hl=2 l= 2 prim: PRINTABLESTRING :JP
570:d=5 hl=2 l= 30 cons: SEQUENCE
572:d=6 hl=2 l= 13 prim: UTCTIME :080422084249Z
587:d=6 hl=2 l= 13 prim: UTCTIME :130421084249Z
602:d=5 hl=2 l= 78 cons: SEQUENCE
604:d=6 hl=2 l= 27 cons: SET
606:d=7 hl=2 l= 25 cons: SEQUENCE
608:d=8 hl=2 l= 3 prim: OBJECT :commonName
613:d=8 hl=2 l= 18 prim: PRINTABLESTRING :TestSubordinateCA1
633:d=6 hl=2 l= 13 cons: SET
635:d=7 hl=2 l= 11 cons: SEQUENCE
637:d=8 hl=2 l= 3 prim: OBJECT :organizationalUnitName
642:d=8 hl=2 l= 4 prim: PRINTABLESTRING :Test
648:d=6 hl=2 l= 19 cons: SET
650:d=7 hl=2 l= 17 cons: SEQUENCE
652:d=8 hl=2 l= 3 prim: OBJECT :organizationName
657:d=8 hl=2 l= 10 prim: PRINTABLESTRING :GlobalSign
669:d=6 hl=2 l= 11 cons: SET
671:d=7 hl=2 l= 9 cons: SEQUENCE
673:d=8 hl=2 l= 3 prim: OBJECT :countryName
678:d=8 hl=2 l= 2 prim: PRINTABLESTRING :JP
682:d=5 hl=4 l= 290 cons: SEQUENCE
686:d=6 hl=2 l= 13 cons: SEQUENCE
688:d=7 hl=2 l= 9 prim: OBJECT :rsaEncryption
699:d=7 hl=2 l= 0 prim: NULL
701:d=6 hl=4 l= 271 prim: BIT STRING
976:d=5 hl=3 l= 192 cons: cont [ 3 ]
979:d=6 hl=3 l= 189 cons: SEQUENCE
982:d=7 hl=2 l= 29 cons: SEQUENCE
984:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
989:d=8 hl=2 l= 22 prim: OCTET STRING [HEX
DUMP]:041498B84D5851AC6AC878
CEF36D603630F42F376AC6
1013:d=7 hl=2 l= 18 cons: SEQUENCE
1015:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
1020:d=8 hl=2 l= 1 prim: BOOLEAN :255
1023:d=8 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020100
1033:d=7 hl=2 l= 31 cons: SEQUENCE
1035:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
1040:d=8 hl=2 l= 24 prim: OCTET STRING [HEX
DUMP]:30168014ABF0A26A74DD4F
49AF8E2A3CBBA2C89BECBA39A1
1066:d=7 hl=2 l= 17 cons: SEQUENCE
1068:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies
1073:d=8 hl=2 l= 10 prim: OCTET STRING [HEX DUMP]:300830060604551D2000
1085:d=7 hl=2 l= 68 cons: SEQUENCE
1087:d=8 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
1092:d=8 hl=2 l= 61 prim: OCTET STRING [HEX
DUMP]:303B3039A037A035863368
7474703A2F2F67737465636831302E676C6F62616C7369676E2E636F6D2F63726C732F5465737452
6F6F744341312E63726C
1155:d=7 hl=2 l= 14 cons: SEQUENCE
1157:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
1162:d=8 hl=2 l= 1 prim: BOOLEAN :255
1165:d=8 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020106
1171:d=4 hl=2 l= 13 cons: SEQUENCE
1173:d=5 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
1184:d=5 hl=2 l= 0 prim: NULL
1186:d=4 hl=4 l= 257 prim: BIT STRING
1447:d=3 hl=4 l= 850 cons: SEQUENCE
1451:d=4 hl=4 l= 570 cons: SEQUENCE
1455:d=5 hl=2 l= 3 cons: cont [ 0 ]
1457:d=6 hl=2 l= 1 prim: INTEGER :02
1460:d=5 hl=2 l= 8 prim: INTEGER :10E30DFE5E06C68A
1470:d=5 hl=2 l= 13 cons: SEQUENCE
1472:d=6 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
1483:d=6 hl=2 l= 0 prim: NULL
1485:d=5 hl=2 l= 71 cons: SEQUENCE
1487:d=6 hl=2 l= 20 cons: SET
1489:d=7 hl=2 l= 18 cons: SEQUENCE
1491:d=8 hl=2 l= 3 prim: OBJECT :commonName
1496:d=8 hl=2 l= 11 prim: PRINTABLESTRING :TestRootCA1
1509:d=6 hl=2 l= 13 cons: SET
1511:d=7 hl=2 l= 11 cons: SEQUENCE
1513:d=8 hl=2 l= 3 prim: OBJECT :organizationalUnitName
1518:d=8 hl=2 l= 4 prim: PRINTABLESTRING :Test
1524:d=6 hl=2 l= 19 cons: SET
1526:d=7 hl=2 l= 17 cons: SEQUENCE
1528:d=8 hl=2 l= 3 prim: OBJECT :organizationName
1533:d=8 hl=2 l= 10 prim: PRINTABLESTRING :GlobalSign
1545:d=6 hl=2 l= 11 cons: SET
1547:d=7 hl=2 l= 9 cons: SEQUENCE
1549:d=8 hl=2 l= 3 prim: OBJECT :countryName
1554:d=8 hl=2 l= 2 prim: PRINTABLESTRING :JP
1558:d=5 hl=2 l= 30 cons: SEQUENCE
1560:d=6 hl=2 l= 13 prim: UTCTIME :080422083552Z
1575:d=6 hl=2 l= 13 prim: UTCTIME :180420083552Z
1590:d=5 hl=2 l= 71 cons: SEQUENCE
1592:d=6 hl=2 l= 20 cons: SET
1594:d=7 hl=2 l= 18 cons: SEQUENCE
1596:d=8 hl=2 l= 3 prim: OBJECT :commonName
1601:d=8 hl=2 l= 11 prim: PRINTABLESTRING :TestRootCA1
1614:d=6 hl=2 l= 13 cons: SET
1616:d=7 hl=2 l= 11 cons: SEQUENCE
1618:d=8 hl=2 l= 3 prim: OBJECT :organizationalUnitName
1623:d=8 hl=2 l= 4 prim: PRINTABLESTRING :Test
1629:d=6 hl=2 l= 19 cons: SET
1631:d=7 hl=2 l= 17 cons: SEQUENCE
1633:d=8 hl=2 l= 3 prim: OBJECT :organizationName
1638:d=8 hl=2 l= 10 prim: PRINTABLESTRING :GlobalSign
1650:d=6 hl=2 l= 11 cons: SET
1652:d=7 hl=2 l= 9 cons: SEQUENCE
1654:d=8 hl=2 l= 3 prim: OBJECT :countryName
1659:d=8 hl=2 l= 2 prim: PRINTABLESTRING :JP
1663:d=5 hl=4 l= 290 cons: SEQUENCE
1667:d=6 hl=2 l= 13 cons: SEQUENCE
1669:d=7 hl=2 l= 9 prim: OBJECT :rsaEncryption
1680:d=7 hl=2 l= 0 prim: NULL
1682:d=6 hl=4 l= 271 prim: BIT STRING
1957:d=5 hl=2 l= 66 cons: cont [ 3 ]
1959:d=6 hl=2 l= 64 cons: SEQUENCE
1961:d=7 hl=2 l= 29 cons: SEQUENCE
1963:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
1968:d=8 hl=2 l= 22 prim: OCTET STRING [HEX
DUMP]:0414ABF0A26A74DD4F49AF
8E2A3CBBA2C89BECBA39A1
1992:d=7 hl=2 l= 15 cons: SEQUENCE
1994:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
1999:d=8 hl=2 l= 1 prim: BOOLEAN :255
2002:d=8 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF
2009:d=7 hl=2 l= 14 cons: SEQUENCE
2011:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
2016:d=8 hl=2 l= 1 prim: BOOLEAN :255
2019:d=8 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020106
2025:d=4 hl=2 l= 13 cons: SEQUENCE
2027:d=5 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
2038:d=5 hl=2 l= 0 prim: NULL
2040:d=4 hl=4 l= 257 prim: BIT STRING
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
Ben Wilson <be...@digicert.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ben@digicert.com
--- Comment #19 from Ben Wilson <be...@digicert.com> ---
The Importance of this bug/enhancement needs to be elevated. It has been over
three years since this was submitted. Current statistics from NetCraft show
that 98% of Apache boxes do not use stapling, whereas 98% of Microsoft boxes
use stapling. The differentiator is whether stapling is on or off by
default--IIS uses OCSP stapling by default. From a policy perspective, OCSP
Stapling is superior for privacy-enhancing and performance reasons because
clients do not have to seek a response from a third party - it comes directly
from the server, which is why it is also a more efficient mechanism. Also, all
major browser platforms support stapling, it is provided in mod-ssl, and
because of these reasons, the number of demands for OCSP stapling
"out-of-the-box" are likely to grow substantially over the next several months.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
Björn Jacke <bj...@j3e.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bjoern@j3e.de
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #1 from Rob Stradling <ro...@comodo.com> 2011-02-09 04:17:29 EST ---
Opinions stated on httpd-dev:
Steve Henson wrote (on 22nd Dec 2010):
"...the code hasn't been tested extensively 'in the field' so there may be
problems that have yet to be uncovered.
My personal opinion would be to, at least initially, require an explicit
directive to enable it and leave the option in future to have it enabled by
default."
Igor Galić replied (on 24th Dec 2010):
"If we want to see more extensive testing in the field, then this is the right
time to make 'On' the default."
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #10 from Koichi Sugimoto <ko...@globalsign.co.jp> 2011-06-24 13:47:26 UTC ---
Hello Sirs,
I've investigated with Opera 11.11, IE9 and Chrome 12.0.
The OCSP responder is deginated type (see below).
http://tools.ietf.org/id/draft-cooper-pkix-rfc2560bis-00.txt
And the OCSP responder is configured to reply only ocsp signing certificate.
IE9 and Opera 11.11 seems to be work correctly with apache 2.3.12-bata.
But Chrome 12.0 requests directly to the OCSP responder, even if apache replies
ocsp response as certificate status.
I do not know whether it is Chrome's bug or some interoperability problem.
Note that the size of ocsp response is > 1K, therefore, we cannot use
socache-dbm (it's too small to chache the ocsp response).
We have to check with other types of ocsp responders.
Regards,
Koichi Sugimoto.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #9 from Joe Orton <jo...@redhat.com> 2011-06-17 13:44:26 UTC ---
We perhaps need some more logging with the "response times invalid" error path.
Could you please keep further diagnosis of this problem in a public forum
(either here or dev@ or users@) so we can all follow along, or at least report
progress?
Thanks to both of you for reporting the results of testing so far!
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
Kai Engert <ka...@kuix.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kaie@kuix.de
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #18 from Kai Engert <ka...@kuix.de> 2011-11-28 14:15:09 UTC ---
> If you set:
>
> http://httpd.apache.org/docs/2.3/mod/mod_ssl.html#sslstaplingreturnrespondererrors
>
> to "off", it should not send staple the "try later" responses, if I am
> understanding things correctly.
Thanks.
This doesn't seem to work as intended. I set it of "off", both at the global
level (near the "Listen" statement), and also inside the VirtualHost section.
Still, I sometimes get the "tryLater" answer (as reported by openssl s_client).
Beside, I wonder if the default value of SSLStaplingReturnResponderErrors
should rather be "off"?
Clients might refuse to consider stapled errors anyway, because there is the
risk that a MITM staples an error response together with a hacker server cert,
trying to stop the client from getting a newer status.
I think stapling makes most sense for "good and fresh" OCSP information, and
clients should attempt to fetch fresh information on their own, whenever it's
not yet available.
> We don't have any caching across restarts; I'm not sure whether the utility of
> that is worth the extra complexity; fetching a new OCSP response should be
> cheap anyway. Perhaps we could have a way to populate the cache at startup, or
> else, fail.
I understand that caching is simple for servers that run only a single SSL
server - but I also understand that the configuration options of Apache are
flexible, and allow any number of SSL ports - which creates complexity.
The current behaviour should be OK for the initial release of OCSP stapling by
default.
However, it would be very helpful to find a way to save the OCSP information
across restarts.
One great benefit of OCSP stapling is that it can relax the dependency on the
uptime of OCSP responder servers.
Clients might eventually decide that "fresh and good" OCSP information is
mandatory, even as a default setting in browsers.
Being able to cache the recent OCSP information on the server side would be
highly desired, in order to avoid server unavailability caused by OCSP servers
being temporarily unresponsive.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #2 from Joe Orton <jo...@redhat.com> 2011-02-09 04:26:16 EST ---
Does it work? Does the caching work? I'd like to see results of people
testing the code in anger before inflicting it on the masses.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #14 from Rob Stradling <ro...@comodo.com> 2011-07-12 10:14:12 UTC ---
(In reply to comment #13)
> Hello Rob,
>
> You are right.
> It seems to be a Chrome's bug.
Hi Koichi. In that case, I suggest you file a bug report here:
https://code.google.com/p/chromium/issues/entry
Have you completed your testing of the OCSP Stapling code in httpd 2.3.x? Are
you satisfied that it works OK?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #5 from Rob Stradling <ro...@comodo.com> 2011-06-09 12:18:05 UTC ---
(In reply to comment #4)
> I've now been investigating if the stapling correctry works.
> The build successfully conpleted and the apache process invoked without error.
> But when I access to the apache via IE8 and firefox 3.5, no OCSP request comes
> from the apache.
>
> The browser's behaviour:
> IE8 directly requests to the OCSP responder.
What version of Windows are you using?
IE8 on XP doesn't support OCSP Stapling.
> Firefox shows "Invalid OCSP signing certificate in OCSP response." and stops
> the connection.
No version of Firefox supports OCSP Stapling yet.
<snip>
> The following error log was generated by the apache:
> [Mon Jun 06 19:01:50.275314 2011] [ssl:error] [pid 17404:tid 3075525520]
> stapling_check_response: response times invalid
I wonder if the "response times invalid" error from Apache and the "Invalid
OCSP signing certificate" error from Firefox are related.
Has your OCSP Signing Certificate expired, by any chance?
Is your httpd-2.3.12-beta server publicly accessible?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #7 from Rob Stradling <ro...@comodo.com> 2011-06-13 09:04:18 UTC ---
(In reply to comment #6)
<snip>
> Sorry, my server is at local.
> I'm sure that the certificate is valid.
> But my ocsp responder is integrated type.
> http://www.ietf.org/id/draft-ietf-pkix-rfc2560bis-03.txt
>
> Does the apache support this type of ocsp responder?
Apache shouldn't have any problems with "integrated" Responders.
> The following is the dump of my ocsp response:
Let's reduce bugspam and discuss this via email.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
--- Comment #12 from Koichi Sugimoto <ko...@globalsign.co.jp> 2011-07-04 10:53:48 UTC ---
Hello Rob,
It may not be a simple bug with Chrome.
I also investigated with IIS7.
In this case, Chrome works well.
We have to see the difference of IIS and apache more deeply.
Regards,
Koichi Sugimoto.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50740] Enable OCSP Stapling by default
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50740
Eddy Nigg <ed...@startcom.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |eddy_nigg@startcom.org
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org