You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2008/10/18 13:56:41 UTC
DO NOT REPLY [Bug 46037] New: Configuration of trusted OCSP
responder certificates
https://issues.apache.org/bugzilla/show_bug.cgi?id=46037
Summary: Configuration of trusted OCSP responder certificates
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: steve@openssl.org
Created an attachment (id=22754)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=22754)
Add OCSPResponderCertificateFile option.
Some OCSP responders are configured to either exclude certificates in the
response or use a certificate chain with no relationship to the CA(s) it covers
such as a self signed certificate.
Currently such responders cannot be used with mod_ssl because the responder
certificate will fail verification.
The attached patch fixes this issue by adding a new
OCSPResponderCertificateFile option which contains PEM format certificates
which are directly trusted.
Question: is the initialisation and freeing in ssl_engine_init.c an appropriate
place?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 46037] Configuration of trusted OCSP responder certificates
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46037
--- Comment #3 from Dennis Wilson <dr...@gmail.com> ---
Created attachment 30622
--> https://issues.apache.org/bugzilla/attachment.cgi?id=30622&action=edit
Capability to Trust OCSP Responder Self-Signed Certificates
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 46037] Configuration of trusted OCSP responder certificates
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46037
Jeremy Faircloth <je...@faircloths.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jeremy@faircloths.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 46037] Configuration of trusted OCSP responder certificates
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46037
dedecker@etud.insa-toulouse.fr changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #5 from dedecker@etud.insa-toulouse.fr ---
Hello,
I need this patch to use my own ocsp responder which signed responses with its
own self signed certificate and I see that this bug is not already fixed.
(There is no SSLOCSPResponderCertificateFile directive)
Is there a possibility to get a binary of an Apache 2.4 fixed with this patch ?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46037] Configuration of trusted OCSP responder
certificates
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46037
--- Comment #2 from Stefan Fritsch <sf...@sfritsch.de> 2011-06-19 18:26:09 UTC ---
As a reminder: AIUI, r1137398 (Don't do OCSP checks for valid self-issued
certs) needs to be changed if this patch is committed.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 46037] Configuration of trusted OCSP responder certificates
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46037
--- Comment #4 from Dennis Wilson <dr...@gmail.com> ---
This patch adds the capability to trust an OCSP responder certificate. This is
similar to the openssl -VAfile option. This patch is a modification of the
original submitted patch from 2008 so that it works with Apache 2.4.4. Prior
to this we used a third party module, but this allows Apache to accomplish the
same thing eliminating the need for the third party module.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46037] Configuration of trusted OCSP responder
certificates
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46037
--- Comment #1 from Dr Stephen Henson <st...@openssl.org> 2008-10-18 04:59:30 PST ---
Created an attachment (id=22755)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=22755)
Documentation of SSLOCSPResponderCertificateFile option
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 46037] Configuration of trusted OCSP responder certificates
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46037
Dennis Wilson <dr...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |drwilson66@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46037] Configuration of trusted OCSP responder
certificates
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46037
Dr Stephen Henson <st...@openssl.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #22754|Add |Add
description|OCSPResponderCertificateFile|SSLOCSPResponderCertificateF
|option. |ile option.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org