Thanks Daniel! I have that enabled. Here are all relevant settings below:
SSLVerifyClient require
SSLVerifyDepth 10
SSLOCSPEnable onSSLVerifyDepth 10
SSLOCSPDefaultResponder http://x.x.x.x:41233
SSLPassPhraseDialog builtin
SSLSessionCache "dbm:/xx/logs/ssl_scache"
SSLSessionCacheTimeout 300
SSLStaplingCache "dbm:/xx/logs/ssl_staplingcache"
SSLSessionCache "dbm:/xx/logs/ssl_scache"
SSLSessionCacheTimeout 300
SSLStaplingCache "dbm:/xx/logs/ssl_staplingcache"
SSLFIPS on
SSLOCSPOverrideResponder off
SSLStaplingReturnResponderErrors on
SSLStaplingReturnResponderErrors on
I have added tracing and see that the OCSP is revoked. I guess my question is, if the certificate is revoked, should Apache deny access to the website? Because it is still allowing access even though the OCSP server mentions that it's revoked.
[Mon Apr 24 10:28:03.720807 2023] [ssl:trace3] [pid 211328:tid 140542335710784] ssl_engine_kernel.c(2213): [client xx.xx.xx.xx:53049] OpenSSL: Loop: before SSL initialization
[Mon Apr 24 10:28:03.720819 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_engine_kernel.c(2425): [client xx.xx.xx.xx:53049] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Mon Apr 24 10:28:03.720947 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_stapling.c(826): AH01951: stapling_cb: OCSP Stapling callback called
[Mon Apr 24 10:28:03.720961 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_stapling.c(866): AH01952: stapling_cb: retrieved cached certificate data
[Mon Apr 24 10:28:03.721053 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_stapling.c(341): AH01930: stapling_get_cached_response: cache miss
[Mon Apr 24 10:28:03.721059 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_stapling.c(875): AH01954: stapling_cb: renewing cached response
[Mon Apr 24 10:28:03.721080 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_stapling.c(341): AH01930: stapling_get_cached_response: cache miss
[Mon Apr 24 10:28:03.721088 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_stapling.c(897): AH03238: stapling_cb: still must refresh cached response after obtaining refresh mutex
[Mon Apr 24 10:28:03.721092 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_stapling.c(502): AH01938: stapling_renew_response: querying responder
[Mon Apr 24 10:28:03.721196 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_ocsp.c(97): [client xx.xx.xx.xx:53049] AH01973: connecting to OCSP responder 'xx.xx.xx.xx:41233'
[Mon Apr 24 10:28:03.721257 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_ocsp.c(125): [client xx.xx.xx.xx:53049] AH01975: sending request to OCSP responder
[Mon Apr 24 10:28:03.726650 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_ocsp.c(235): [client xx.xx.xx.xx:53049] AH01981: OCSP response header: Content-type: application/ocsp-response
[Mon Apr 24 10:28:03.726669 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_ocsp.c(235): [client xx.xx.xx.xx:53049] AH01981: OCSP response header: Content-Length: 2273
[Mon Apr 24 10:28:03.726674 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_ocsp.c(283): [client xx.xx.xx.xx:53049] AH01987: OCSP response: got 2273 bytes, 2273 total
[Mon Apr 24 10:28:03.728109 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_stapling.c(575): AH01942: stapling_renew_response: query response received
[Mon Apr 24 10:28:03.728502 2023] [ssl:error] [pid 211328:tid 140542335710784] AH02969: stapling_check_response: response has certificate status revoked (reason: n/a) for serial number 1001
[Mon Apr 24 10:28:03.728530 2023] [ssl:error] [pid 211328:tid 140542335710784] AH01929: stapling_cache_response: OCSP response session store error!
[Mon Apr 24 10:28:03.728535 2023] [ssl:error] [pid 211328:tid 140542335710784] AH01945: stapling_renew_response: error caching response!
[Mon Apr 24 10:28:03.728541 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_stapling.c(905): AH03040: stapling_cb: success renewing response
[Mon Apr 24 10:28:03.728545 2023] [ssl:debug] [pid 211328:tid 140542335710784] ssl_util_stapling.c(917): AH01956: stapling_cb: setting response
[Mon Apr 24 10:28:03.728559 2023] [ssl:trace3] [pid 211328:tid 140542335710784] ssl_engine_kernel.c(2213): [client xx.xx.xx.xx:53049] OpenSSL: Loop: SSLv3/TLS read client hello
[Mon Apr 24 10:28:03.728739 2023] [ssl:trace3] [pid 211328:tid 140542335710784] ssl_engine_kernel.c(2213): [client xx.xx.xx.xx:53049] OpenSSL: Loop: SSLv3/TLS write server hello
[Mon Apr 24 10:28:03.728790 2023] [ssl:trace3] [pid 211328:tid 140542335710784] ssl_engine_kernel.c(2213): [client xx.xx.xx.xx:53049] OpenSSL: Loop: SSLv3/TLS write change cipher spec
[Mon Apr 24 10:28:03.728802 2023] [ssl:trace3] [pid 211328:tid 140542335710784] ssl_engine_kernel.c(2213): [client xx.xx.xx.xx:53049] OpenSSL: Loop: TLSv1.3 write encrypted extensions
[Mon Apr 24 10:28:03.728817 2023] [ssl:trace3] [pid 211328:tid 140542335710784] ssl_engine_kernel.c(2213): [client xx.xx.xx.xx:53049] OpenSSL: Loop: SSLv3/TLS write certificate request
[Mon Apr 24 10:28:03.729100 2023] [ssl:trace6] [pid 211328:tid 140542335710784] ssl_engine_io.c(218): [client xx.xx.xx.xx:53049] bio_filter_out_write: 4096 bytes
——————————————————————————
Quintin Ash | Senior Software Engineer
Tenable Network Security
7021 Columbia Gateway Drive, Suite 500
Columbia, MD 21046
W: 443-545-2101 ext. 472
On Tue, Apr 18, 2023 at 7:21 PM Daniel Ferradal <dferradal@xxxxxxxxxx> wrote:
--El lun, 17 abr 2023 a las 21:19, Quintin Ash (<qash@xxxxxxxxxxx>) escribió:*** CAUTION: This email was sent from an EXTERNAL source. Think before clicking links or opening attachments. ***
Yes I have that as well
SSLVerifyClient require
SSLVerifyDepth 10I also have FIPS enabled (not sure if that matters).
Well, it should be working if everything is in the right place.Increase debug level to trace7 and check the mod_ssl traces to see what is really going on.You can do this with LogLevel ssl:trace7It is a good practice to share the configuration you have within its own context, you can see what you really have, we can't. As in, you could have SSLVerifyClient require in a path and the request going for another and then that directive having no effect, etc.Also turn "SSLOCSPOverrideResponder off" for these tests.Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat
