You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2019/02/13 10:33:38 UTC
[Bug 63171] New: SSLProxy: SSLOCSPResponderCertificateFile not
loaded on HTTP to HTTPS proxy
https://bz.apache.org/bugzilla/show_bug.cgi?id=63171
Bug ID: 63171
Summary: SSLProxy: SSLOCSPResponderCertificateFile not loaded
on HTTP to HTTPS proxy
Product: Apache httpd-2
Version: 2.4.38
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: asf-bugzilla@oneton.nl
Target Milestone: ---
Created attachment 36434
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36434&action=edit
Patch against tag 2.4.38
I have configured an Apache HTTP server as outgoing proxy in order to connect
to an external system using Mutual TLS. I use the SSLProxyEngine to facilitate
this configuration. For the time being, this proxy listens on HTTP. The
external system uses a Comodo-issued certificate. Comodo’s OCSP responder does
not send its certificate, since the OCSP response is signed with the same
certificate as the server certificate. This makes the default OCSP validation
fail.
In order to provide the responder’s certificate to OpenSSL, I have configured a
SSLOCSPResponderCertificateFile in the relevant VirtualHost. However, in this
HTTP to HTTPS setup, the file is never read/used.
I looked at mod_ssl’s sources and observed that the OCSP trusted certificates
are loaded in ssl_util_ocsp.c/ssl_init_ocsp_certificates. This method is
however never called in proxy configuration (see
ssl_engine_init.c/ssl_init_ConfigureServer).
I discovered this problem on an Apachehaus 2.4.37 build for Windows. I
reproduced it on a build from source using 2.4.38 and a AWS Ubuntu 18.04 VM.
Reproduction with 2.4.38:
- ./configure --enable-proxy --enable-ssl --prefix=/opt/apache2
- Copy attached trusted-ca.pem to conf/ssl
- httpd.conf:
- Enable mod_proxy.so, mod_proxy_http.so, mod_ssl.so
- Add virtual host below
<VirtualHost *:80>
LogLevel ssl:trace5
SSLProxyEngine On
SSLProxyProtocol -all +TLSv1.2
# Verify remote server certificate
SSLProxyVerify require
SSLProxyVerifyDepth 2
# Comodo responder does not accept nonce
SSLOCSPUseRequestNonce off
# Certificate chain
SSLProxyCACertificateFile conf/ssl/trusted-ca.pem
SSLOCSPResponderCertificateFile conf/ssl/trusted-ca.pem
ProxyPass / https://oneton.nl/
</VirtualHost>
- Start the server
- curl http://localhost/
- The server returns a 500 error
- Check the error log. It does not mention “Configuring Trusted OCSP
certificates” (which is the debug logging output for
ssl_util_ocsp.c/ssl_init_ocsp_certificates)
- Apply attached patch to 2.4.38 source directory
(modules/ssl/ssl_engine_init.c)
- Build and install
- Try again, the page is loaded and the error log shows that:
- Certificates are loaded
- OCSP lookup succeeds
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63171] SSLProxy: SSLOCSPResponderCertificateFile not loaded on
HTTP to HTTPS proxy
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63171
Konrad Botor <kb...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kbotor@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63171] SSLProxy: SSLOCSPResponderCertificateFile not loaded on
HTTP to HTTPS proxy
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63171
--- Comment #1 from Anton Tieleman <as...@oneton.nl> ---
Created attachment 36435
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36435&action=edit
CA file for testing (Comodo RSA root + intermediate)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63171] SSLProxy: SSLOCSPResponderCertificateFile not loaded on
HTTP to HTTPS proxy
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63171
--- Comment #2 from Konrad Botor <kb...@gmail.com> ---
I encountered the same problem with httpd 2.4.41.
Will the patch for this be applied to any future releases?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63171] SSLProxy: SSLOCSPResponderCertificateFile not loaded on
HTTP to HTTPS proxy
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63171
Christophe JAILLET <ch...@wanadoo.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org