Hello,
I am working with OCSP and SSL Stapling and I want to know if this case is working as expected.
I am trying to connect to Apache and I have a certificate that is revoked from the OCSP server. The OCSP server is responding as Revoked, but the connection is not getting rejected. This is a case where I would suspect that the connection should be rejected because the certificate is revoked, but it is not happening.
Does anyone have experience with OCSP and SSL Stapling and is this configured correctly?
Configuration:
Apache 2.4.57
OpenSSL 3.0.8
SSLOCSPEnable on
SSLOCSPDefaultResponder http://x.x.x.x:41233
SSLOCSPOverrideResponder on
Logs:
[Thu Apr 13 10:42:14.734750 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(97): [client x.x.x.x:60742] AH01973: connecting to OCSP responder ‘x.x.x.x:41233'
[Thu Apr 13 10:42:14.734815 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(125): [client x.x.x.x:60742] AH01975: sending request to OCSP responder
[Thu Apr 13 10:42:14.739728 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP response header: Content-type: application/ocsp-response
[Thu Apr 13 10:42:14.739751 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP response header: Content-Length: 2273
[Thu Apr 13 10:42:14.739756 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(283): [client x.x.x.x:60742] AH01987: OCSP response: got 2273 bytes, 2273 total
[Thu Apr 13 10:42:14.741198 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_stapling.c(575): AH01942: stapling_renew_response: query response received
[Thu Apr 13 10:42:14.741644 2023] [ssl:error] [pid 1812:tid 139698106267200] AH02969: stapling_check_response: response has certificate status revoked (reason: n/a) for serial number xxxx
——————————————————————————
Quintin Ash | Senior Software Engineer
Tenable Network Security
7021 Columbia Gateway Drive, Suite 500
Columbia, MD 21046
W: 443-545-2101 ext. 472
