On 07/18/2018 10:19 AM, Frank Meier wrote:
> We experience a problem with OCSP since Apache HTTP Server 2.4.34.
> Certificates, which do include a OCSP responder URL
> and worked well with 2.4.33 are now reported that they don't. Log Message:
> "AH01918: no OCSP responder specified in
> certificate and no default configured".
>
> After git bisect I found the commit which introduced this behaviour [1]. And
> more more precisely the line in
> "ssl_engine_config.c" where "ocsp_force_default" is initialized with "UNSET"
> where in 2.4.33 it was initialized with
> "FALSE". This is a problem, because "ocsp_force_default" is used in a if
> condition without comparison operator in
> ssl_engine_ocsp.c:64, therefore resulting in TRUE even it is UNSET.
>
> I propose 2 ways of fixing this. Either let the initialization be like in
> 2.4.33 (ocsp-fix.patch) or compare the
> "ocsp_force_default" flag with "TRUE" where it is used (ocsp-fix2.patch).
Stefan do you remember why the default for ocsp_force_default has changed to
UNSET? If not I would go for the first patch.
Regards
Rüdiger
>
> [1]
> https://github.com/apache/httpd/commit/7c64b2e46820d5d7576d9f601142cd33c5c8c42b
>
> Cheers, Frank
