——————————————————————————
Quintin Ash | Senior Software Engineer
Tenable Network Security
7021 Columbia Gateway Drive, Suite 500
Columbia, MD 21046
W: 443-545-2101 ext. 472
El lun, 17 abr 2023 a las 17:29, Quintin Ash (<qash@xxxxxxxxxxx>) escribió:*** CAUTION: This email was sent from an EXTERNAL source. Think before clicking links or opening attachments. ***
Hello,
I am working with OCSP and SSL Stapling and I want to know if this case is working as expected.
I am trying to connect to Apache and I have a certificate that is revoked from the OCSP server. The OCSP server is responding as Revoked, but the connection is not getting rejected. This is a case where I would suspect that the connection should be rejected because the certificate is revoked, but it is not happening.
Does anyone have experience with OCSP and SSL Stapling and is this configured correctly?
Configuration:
Apache 2.4.57
OpenSSL 3.0.8
SSLOCSPEnable on
SSLOCSPDefaultResponder http://x.x.x.x:41233
SSLOCSPOverrideResponder on
Logs:
[Thu Apr 13 10:42:14.734750 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(97): [client x.x.x.x:60742] AH01973: connecting to OCSP responder ‘x.x.x.x:41233'
[Thu Apr 13 10:42:14.734815 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(125): [client x.x.x.x:60742] AH01975: sending request to OCSP responder
[Thu Apr 13 10:42:14.739728 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP response header: Content-type: application/ocsp-response
[Thu Apr 13 10:42:14.739751 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP response header: Content-Length: 2273
[Thu Apr 13 10:42:14.739756 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_ocsp.c(283): [client x.x.x.x:60742] AH01987: OCSP response: got 2273 bytes, 2273 total
[Thu Apr 13 10:42:14.741198 2023] [ssl:debug] [pid 1812:tid 139698106267200] ssl_util_stapling.c(575): AH01942: stapling_renew_response: query response received
[Thu Apr 13 10:42:14.741644 2023] [ssl:error] [pid 1812:tid 139698106267200] AH02969: stapling_check_response: response has certificate status revoked (reason: n/a) for serial number xxxx
——————————————————————————
In the information you provide you are at least missing the Location with:SSLVerifyclient requireDo you have that?--Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat