> Am 24.04.2019 um 16:22 schrieb Hajo Locke <Hajo.Locke@xxxxxx>:
>
> Hello List,
>
> Apache is 2.4.39, System is Ubuntu 18.04 and 16.04
>
> since yesterday evening we have massive mod_ssl problems with ssl stapling:
>
> Apr 24 11:20:59 myhostname apache2[16094]: [ssl:error] [pid 16094]
> AH01941: stapling_renew_response: responder error
>
> We had complaints about slow webpages, this forced us to deactivate
> stapling on all our servers.
Sorry to hear that.
> Affected are certificates of sectigo (previously comodo) with ocsp-url
> http://ocsp.sectigo.com
> I cant confirm for other providers, we use comodo/sectigo the most.
>
> But it seems there is no basic problem on our system/network because i
> can manually confirm ocsp status with openssl on affected machines:
>
> # openssl ocsp -issuer bundle -cert crt -url http://ocsp.sectigo.com
> WARNING: no nonce in response
> Response verify OK
> crt: good
> This Update: Apr 22 12:46:48 2019 GMT
> Next Update: Apr 26 12:46:48 2019 GMT
>
> I try to figure out on which side problem is. We use basic sslstapling
> directives in /etc/apache2/mods-enabled/ssl.conf
> this is unchanged for months
>
> SSLUseStapling On
> SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(2560000)
> SSLStaplingResponderTimeout 5
> SSLStaplingReturnResponderErrors off
>
> Is there somebody who can confirm this behaviour and explain what happens?
AFIK, there have been no (intentional) changes regarding OCSP stapling in recent versions. Are you doing the openssl test on the same machine that the affected servers run?
- Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|