OCSP Stapling Configuration Setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,


I am working with OCSP and SSL Stapling and I want to know if this case is working as expected. 


I am trying to connect to Apache and I have a certificate that is revoked from the OCSP server. The OCSP server is responding as Revoked, but the connection is not getting rejected. This is a case where I would suspect that the connection should be rejected because the certificate is revoked, but it is not happening.


Does anyone have experience with OCSP and SSL Stapling and is this configured correctly?


Configuration:

Apache 2.4.57

OpenSSL 3.0.8


SSLOCSPEnable on

SSLOCSPDefaultResponder http://x.x.x.x:41233

SSLOCSPOverrideResponder on


Logs:

[Thu Apr 13 10:42:14.734750 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(97): [client x.x.x.x:60742] AH01973: connecting to OCSP responder ‘x.x.x.x:41233'

[Thu Apr 13 10:42:14.734815 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(125): [client x.x.x.x:60742] AH01975: sending request to OCSP responder

[Thu Apr 13 10:42:14.739728 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP response header: Content-type: application/ocsp-response

[Thu Apr 13 10:42:14.739751 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP response header: Content-Length: 2273

[Thu Apr 13 10:42:14.739756 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(283): [client x.x.x.x:60742] AH01987: OCSP response: got 2273 bytes, 2273 total

[Thu Apr 13 10:42:14.741198 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_stapling.c(575): AH01942: stapling_renew_response: query response received

[Thu Apr 13 10:42:14.741644 2023] [ssl:error] [pid 1812:tid 139698106267200] AH02969: stapling_check_response: response has certificate status revoked (reason: n/a) for serial number xxxx

——————————————————————————




Quintin Ash | Senior Software Engineer

Tenable Network Security

7021 Columbia Gateway Drive, Suite 500

Columbia, MD 21046

qash@xxxxxxxxxxx

W: 443-545-2101 ext. 472

tenable.com


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux