On 9/3/25 9:16 PM, Stefan Eissing via dev wrote:
>
>
>> Am 03.09.2025 um 20:55 schrieb Ruediger Pluem <[email protected]>:
>>
>>
>>
>> On 9/3/25 5:49 PM, Stefan Eissing via dev wrote:
>>> https://docs.digicert.com/en/whats-new/change-log/certcentral-change-log.html#digicert-ending-support-for-http-1-0-connections-for-ocsp-and-crl-certificate-status-verification-checks-619426
>>
>> Thanks for the heads up.
>>
>>>
>>> On rather short notice, they switch off HTTP/1.0 in their OCSP responder.
>>> That means our implementation of stapling in mod_ssl will no longer work, I
>>> assume.
>>
>> Agreed. But as HTTP/1.1 is still accepted and we already set a host and
>> connection header it should be easy to fix:
>>
>> Index: modules/ssl/ssl_util_ocsp.c
>> ===================================================================
>> --- modules/ssl/ssl_util_ocsp.c (revision 1928174)
>> +++ modules/ssl/ssl_util_ocsp.c (working copy)
>> @@ -46,7 +46,7 @@
>> BIO_printf(bio, "http://%s:%d";,
>> uri->hostname, uri->port);
>> }
>> - BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
>> + BIO_printf(bio, "%s%s%s HTTP/1.1\r\n"
>> "Host: %s:%d\r\n"
>> "Content-Type: application/ocsp-request\r\n"
>> "Connection: close\r\n"
>
> Will be a bit tricky to ship that everywhere until September 8.💁🏻♂️
True, but at least a patch is available for those who need it and build on
their own.
r1928222.
Regards
Rüdiger
