On 9/4/25 8:06 AM, Ruediger Pluem wrote:
>
>
> On 9/3/25 9:16 PM, Stefan Eissing via dev wrote:
>>
>>
>>> Am 03.09.2025 um 20:55 schrieb Ruediger Pluem <[email protected]>:
>>>
>>>
>>>
>>> On 9/3/25 5:49 PM, Stefan Eissing via dev wrote:
>>>> https://docs.digicert.com/en/whats-new/change-log/certcentral-change-log.html#digicert-ending-support-for-http-1-0-connections-for-ocsp-and-crl-certificate-status-verification-checks-619426
>>>
>>> Thanks for the heads up.
>>>
>>>>
>>>> On rather short notice, they switch off HTTP/1.0 in their OCSP responder.
>>>> That means our implementation of stapling in mod_ssl will no longer work,
>>>> I assume.
>>>
>>> Agreed. But as HTTP/1.1 is still accepted and we already set a host and
>>> connection header it should be easy to fix:
>>>
>>> Index: modules/ssl/ssl_util_ocsp.c
>>> ===================================================================
>>> --- modules/ssl/ssl_util_ocsp.c (revision 1928174)
>>> +++ modules/ssl/ssl_util_ocsp.c (working copy)
>>> @@ -46,7 +46,7 @@
>>> BIO_printf(bio, "http://%s:%d";,
>>> uri->hostname, uri->port);
>>> }
>>> - BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
>>> + BIO_printf(bio, "%s%s%s HTTP/1.1\r\n"
>>> "Host: %s:%d\r\n"
>>> "Content-Type: application/ocsp-request\r\n"
>>> "Connection: close\r\n"
>>
>> Will be a bit tricky to ship that everywhere until September 8.💁🏻♂️
>
> True, but at least a patch is available for those who need it and build on
> their own.
> r1928222.
Unfortunately this is not enough as the OCSP responder can now reply with
transfer-encoding: chunked which we cannot handle currently.
Regards
Rüdiger
