You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2008/10/18 13:56:41 UTC

DO NOT REPLY [Bug 46037] New: Configuration of trusted OCSP responder certificates

https://issues.apache.org/bugzilla/show_bug.cgi?id=46037

           Summary: Configuration of trusted OCSP responder certificates
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: steve@openssl.org


Created an attachment (id=22754)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=22754)
Add OCSPResponderCertificateFile option.

Some OCSP responders are configured to either exclude certificates in the
response or use a certificate chain with no relationship to the CA(s) it covers
such as a self signed certificate.

Currently such responders cannot be used with mod_ssl because the responder
certificate will fail verification.

The attached patch fixes this issue by adding a new
OCSPResponderCertificateFile option which contains PEM format certificates
which are directly trusted. 

Question: is the initialisation and freeing in ssl_engine_init.c an appropriate
place?


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 46037] Configuration of trusted OCSP responder certificates

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46037

--- Comment #3 from Dennis Wilson <dr...@gmail.com> ---
Created attachment 30622
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=30622&action=edit
Capability to Trust OCSP Responder Self-Signed Certificates

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 46037] Configuration of trusted OCSP responder certificates

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46037

Jeremy Faircloth <je...@faircloths.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jeremy@faircloths.com

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 46037] Configuration of trusted OCSP responder certificates

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46037

dedecker@etud.insa-toulouse.fr changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #5 from dedecker@etud.insa-toulouse.fr ---
Hello, 
I need this patch to use my own ocsp responder which signed responses with its
own self signed certificate and I see that this bug is not already fixed.
(There is no SSLOCSPResponderCertificateFile directive) 

Is there a possibility to get a binary of an Apache 2.4 fixed with this patch ?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 46037] Configuration of trusted OCSP responder certificates

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46037

--- Comment #2 from Stefan Fritsch <sf...@sfritsch.de> 2011-06-19 18:26:09 UTC ---
As a reminder: AIUI, r1137398 (Don't do OCSP checks for valid self-issued
certs) needs to be changed if this patch is committed.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 46037] Configuration of trusted OCSP responder certificates

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46037

--- Comment #4 from Dennis Wilson <dr...@gmail.com> ---
This patch adds the capability to trust an OCSP responder certificate.  This is
similar to the openssl -VAfile option.  This patch is a modification of the
original submitted patch from 2008 so that it works with Apache 2.4.4.  Prior
to this we used a third party module, but this allows Apache to accomplish the
same thing eliminating the need for the third party module.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 46037] Configuration of trusted OCSP responder certificates

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46037





--- Comment #1 from Dr Stephen Henson <st...@openssl.org>  2008-10-18 04:59:30 PST ---
Created an attachment (id=22755)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=22755)
Documentation of SSLOCSPResponderCertificateFile option


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 46037] Configuration of trusted OCSP responder certificates

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46037

Dennis Wilson <dr...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |drwilson66@gmail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 46037] Configuration of trusted OCSP responder certificates

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46037


Dr Stephen Henson <st...@openssl.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #22754|Add                         |Add
        description|OCSPResponderCertificateFile|SSLOCSPResponderCertificateF
                   |option.                     |ile option.




-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org