Re: httpd incorrectly handles OCSP stapling

Sat, 12 Aug 2017 23:51:05 -0700 

On Friday 11 August 2017 03:31:27 [email protected] wrote:
> >Synopsis:      httpd incorrectly handles OCSP stapling 
> >Category:      system
> 
> >Environment:
>         System      : OpenBSD 6.1
>         Details     : OpenBSD 6.1 (GENERIC.MP) #19: Thu Aug  3 14:59:44 CEST
> 2017
> [email protected]:/usr/src/sys/arch/amd64/compile/GENERI
> C.MP
> 
>         Architecture: OpenBSD.amd64
>         Machine     : amd64
> 
> >Description:
>     I run multiple domains on an httpd instance.  When I tried to enable
> OCSP stapling for several domains, only the first defined domain would work
> properly.  Regardless of whether I had defined an OCSP block or not for
> subsequent domains after the first, I'm suspecting that the OCSP response
> stapled to the first domain is used for all the others.  Firefox refuses to
> connect to any but the first defined domains, and gives an OCSP error.
> 
>     (also apologies if this is a repost, I didn't have the alias set up
> yet,  and believe the majordomo "confirm" mail went to /dev/null)
> 
> >How-To-Repeat:
>     Get OCSP responses:
>     
>     ocspcheck -N -o /etc/ssl/acme/domain1.com.der
> /etc/ssl/acme/domain1.com.fullchain.pem ocspcheck -N -o
> /etc/ssl/acme/domain2.com.der /etc/ssl/acme/domain2.com.fullchain.pem 
>     Define multiple server{} blocks in httpd.conf, and give each an ocsp
> defintion: 
>     server "domain1.com" {
>         listen on $ext_addr tls port 443
>     
>         tls {
>             certificate "/etc/ssl/acme/domain1.com.fullchain.pem"
>             key "/etc/ssl/acme/private/domain1.com.key"
>             ocsp "/etc/ssl/acme/domain1.com.der"
>         }
>     }
>     
>     server "domain2.com" {
>         listen on $ext_addr tls port 443
>     
>         tls {
>             certificate "/etc/ssl/acme/domain2.com.fullchain.pem"
>             key "/etc/ssl/acme/private/domain2.com.key"
>             ocsp "/etc/ssl/acme/domain2.com.der"
>         }
>     }
>     
>     Try to visit domain2.com.  Whether or not domain2 has the ocsp
> definition is irrelevant; Firefox fails to access the domain with an OCSP
> error.  domain1.com works fine in either case.
> 
> >Fix:
>     Fix is unknown, but would involve OCSP stapling being handled properly
> for multiple domains.  It could be SNI related.

This should already be fixed in -current.

Reply via email to