https://bz.apache.org/bugzilla/show_bug.cgi?id=60182
Bug ID: 60182
Summary: SSLStaplingFakeTryLater Deviates From Documented
Behavior of Only Being Effective When
SSLStaplingReturnResponderErrors is On
Product: Apache httpd-2
Version: 2.4.23
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
In modules/ssl/ssl_util_stapling.c, the following code is used to determine
whether to throw an OCSP TryLater failure:
*prsp = modssl_dispatch_ocsp_request(&uri,
mctx->stapling_responder_timeout,
req, conn, vpool);
apr_pool_destroy(vpool);
if (!*prsp) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01941)
"stapling_renew_response: responder error");
if (mctx->stapling_fake_trylater) {
*prsp = OCSP_response_create(OCSP_RESPONSE_STATUS_TRYLATER, NULL);
}
else {
goto done;
}
}
The mctx->stapling_fake_trylater corresponds with configuration option
SSLStaplingFakeTryLater. Per <
https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslstaplingfaketrylater >:
Only effective if SSLStaplingReturnResponderErrors is also enabled.
However, the configuration variable SSLStaplingReturnResponderErrors is not
referenced in the above code. As a result, the fake TryLater is sent if
SSLStaplingFakeTryLater is either enabled or non-existant in the configuration
file, regardless of presence or absence of SSLStaplingReturnResponderErrors.
This causes connectivity issues with Firefox when, say, DNS for the OCSP
responder fails.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
