You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/02/11 16:26:03 UTC

[Bug 64135] New: OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts

https://bz.apache.org/bugzilla/show_bug.cgi?id=64135

            Bug ID: 64135
           Summary: OCSP Stapling doesn't handle Keep-Alive responses
                    properly, causing delays/timeouts
           Product: Apache httpd-2
           Version: 2.4.41
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: giovanni@paclan.it
  Target Milestone: ---

Created attachment 37010
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37010&action=edit
Ocsp strace

When httpd(8) sends ocsp requests via mod_ssl and the OCSP server offers
keep-alive option, the connection is not immediately closed after OCSP response
but the server waits for keep-alive connection to expire.

In the log file attached, the actual stapling response is received at
1556058446.291592, but the connection isn't closed until 1556058456.291508 (10
seconds later) because of the keep-alive timeout of exactly 10 seconds.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64135

Giovanni Bechis <gi...@paclan.it> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64135

--- Comment #3 from Giovanni Bechis <gi...@paclan.it> ---
You understood perfectly and your diff makes absolutely sense.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64135

--- Comment #5 from Giovanni Bechis <gi...@paclan.it> ---
Yes, the patch fixes the issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64135

--- Comment #4 from Ruediger Pluem <rp...@apache.org> ---
(In reply to Giovanni Bechis from comment #3)
> You understood perfectly and your diff makes absolutely sense.

Can you confirm that the patch fixes your issue?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64135

--- Comment #6 from Ruediger Pluem <rp...@apache.org> ---
Commited to trunk as r1874007.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64135

--- Comment #2 from Ruediger Pluem <rp...@apache.org> ---
(In reply to Giovanni Bechis from comment #1)
> Created attachment 37011 [details]
> Possible fix
> 
> A possible fix could be to force a connection closure as soon as a correct
> reply from the OCSP server has arrived, not sure if it's done in the correct
> code-path anyway.

Maybe I misunderstood the issue. You are talking about the HTTP connection to
the OCSP server / responder, correct? But the patch disables the keepalive on
the connection to the client (e.g. the browser). If you want to disable the
keepalive on the connection to the OCSP server / have it closed after the
request IMHO the following patch should do it:

Index: ssl_util_ocsp.c
===================================================================
--- ssl_util_ocsp.c     (revision 1873895)
+++ ssl_util_ocsp.c     (working copy)
@@ -46,6 +46,7 @@
     BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
                "Host: %s:%d\r\n"
                "Content-Type: application/ocsp-request\r\n"
+               "Connection: close\r\n"
                "Content-Length: %d\r\n"
                "\r\n",
                uri->path ? uri->path : "/",

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64135

--- Comment #8 from Ruediger Pluem <rp...@apache.org> ---
(In reply to Christophe JAILLET from comment #7)
> Coming back to it, is this "Connection: close" needed at all?
> We are using HTTP/1.0 here, and it should be closed in all cases.
> 
> Did I miss something? Is there something else lurking around?

It is probably caused by a misconfigured / buggy HTTP server on OCSP server
side, but I see no harm in adding the "Connection: close" if it helps.
I agree that the normal behavior of the server to a HTTP/1.0 request should be
to close the connection after sending the response.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64135

Christophe JAILLET <ch...@wanadoo.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #9 from Christophe JAILLET <ch...@wanadoo.fr> ---
Backported in 2.4.x in r1887155

This is part of 2.4.47

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64135

--- Comment #1 from Giovanni Bechis <gi...@paclan.it> ---
Created attachment 37011
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37011&action=edit
Possible fix

A possible fix could be to force a connection closure as soon as a correct
reply from the OCSP server has arrived, not sure if it's done in the correct
code-path anyway.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64135

--- Comment #7 from Christophe JAILLET <ch...@wanadoo.fr> ---
Coming back to it, is this "Connection: close" needed at all?
We are using HTTP/1.0 here, and it should be closed in all cases.

Did I miss something? Is there something else lurking around?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org