[Bug 61818] New: OCSP "SSLUseStapling on" completely blocking the server when something is off with the responder

Sun, 26 Nov 2017 04:57:58 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=61818

            Bug ID: 61818
           Summary: OCSP "SSLUseStapling on" completely blocking the
                    server when something is off with the responder
           Product: Apache httpd-2
           Version: 2.4.29
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

This will be a somewhat fuzzy issue because I don't have much data. Please
accept my apologies for that.

Today our production site went offline because it was impossible to connect to
it using TLS. The httpd error log just showed this error: 

AH01941: stapling_renew_response: responder error

without any supporting information. There was no indication that some name
could not be resolved or some IP not be reached.

The server is using the event MPM and pretty quickly all slots were in status
"R" and the server reported:

AH00484: server reached MaxRequestWorkers setting, consider raising the
MaxRequestWorkers setting
and
AH03490: scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit.

Hence, the site was offline.

Our stapling configuration:

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

I am not an export but from this configuration and the supporting documentation
I conclude that this situation should never have happened. Even with the OCSP
server not being available it should have just continued without "stapling" the
response.

Hence, this bug report.

Note 1: The certificate in question is issued by GoDaddy EV CA and I could
personally not confirm any issue with their OCSP service.

Note 2: At the same time vhosts using Let's Encrypt certificates still worked
with stapling enabled leading to the conclusion that there was something up
with GoDaddy. However as stated above, the error log did not indicate anything.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to