> Am 03.09.2025 um 20:55 schrieb Ruediger Pluem <[email protected]>:
>
>
>
> On 9/3/25 5:49 PM, Stefan Eissing via dev wrote:
>> https://docs.digicert.com/en/whats-new/change-log/certcentral-change-log.html#digicert-ending-support-for-http-1-0-connections-for-ocsp-and-crl-certificate-status-verification-checks-619426
>
> Thanks for the heads up.
>
>>
>> On rather short notice, they switch off HTTP/1.0 in their OCSP responder.
>> That means our implementation of stapling in mod_ssl will no longer work, I
>> assume.
>
> Agreed. But as HTTP/1.1 is still accepted and we already set a host and
> connection header it should be easy to fix:
>
> Index: modules/ssl/ssl_util_ocsp.c
> ===================================================================
> --- modules/ssl/ssl_util_ocsp.c (revision 1928174)
> +++ modules/ssl/ssl_util_ocsp.c (working copy)
> @@ -46,7 +46,7 @@
> BIO_printf(bio, "http://%s:%d";,
> uri->hostname, uri->port);
> }
> - BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
> + BIO_printf(bio, "%s%s%s HTTP/1.1\r\n"
> "Host: %s:%d\r\n"
> "Content-Type: application/ocsp-request\r\n"
> "Connection: close\r\n"
Will be a bit tricky to ship that everywhere until September 8.💁🏻♂️
>
> Regards
>
> Rüdiger
