[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts
https://bz.apache.org/bugzilla/show_bug.cgi?id=64135 Christophe JAILLET changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #9 from Christophe JAILLET --- Backported in 2.4.x in r1887155 This is part of 2.4.47 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts
https://bz.apache.org/bugzilla/show_bug.cgi?id=64135 --- Comment #8 from Ruediger Pluem --- (In reply to Christophe JAILLET from comment #7) > Coming back to it, is this "Connection: close" needed at all? > We are using HTTP/1.0 here, and it should be closed in all cases. > > Did I miss something? Is there something else lurking around? It is probably caused by a misconfigured / buggy HTTP server on OCSP server side, but I see no harm in adding the "Connection: close" if it helps. I agree that the normal behavior of the server to a HTTP/1.0 request should be to close the connection after sending the response. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts
https://bz.apache.org/bugzilla/show_bug.cgi?id=64135 --- Comment #7 from Christophe JAILLET --- Coming back to it, is this "Connection: close" needed at all? We are using HTTP/1.0 here, and it should be closed in all cases. Did I miss something? Is there something else lurking around? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts
https://bz.apache.org/bugzilla/show_bug.cgi?id=64135 Giovanni Bechis changed: What|Removed |Added Keywords||FixedInTrunk -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts
https://bz.apache.org/bugzilla/show_bug.cgi?id=64135 --- Comment #6 from Ruediger Pluem --- Commited to trunk as r1874007. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts
https://bz.apache.org/bugzilla/show_bug.cgi?id=64135 --- Comment #5 from Giovanni Bechis --- Yes, the patch fixes the issue. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts
https://bz.apache.org/bugzilla/show_bug.cgi?id=64135 --- Comment #4 from Ruediger Pluem --- (In reply to Giovanni Bechis from comment #3) > You understood perfectly and your diff makes absolutely sense. Can you confirm that the patch fixes your issue? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts
https://bz.apache.org/bugzilla/show_bug.cgi?id=64135 --- Comment #3 from Giovanni Bechis --- You understood perfectly and your diff makes absolutely sense. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts
https://bz.apache.org/bugzilla/show_bug.cgi?id=64135 --- Comment #2 from Ruediger Pluem --- (In reply to Giovanni Bechis from comment #1) > Created attachment 37011 [details] > Possible fix > > A possible fix could be to force a connection closure as soon as a correct > reply from the OCSP server has arrived, not sure if it's done in the correct > code-path anyway. Maybe I misunderstood the issue. You are talking about the HTTP connection to the OCSP server / responder, correct? But the patch disables the keepalive on the connection to the client (e.g. the browser). If you want to disable the keepalive on the connection to the OCSP server / have it closed after the request IMHO the following patch should do it: Index: ssl_util_ocsp.c === --- ssl_util_ocsp.c (revision 1873895) +++ ssl_util_ocsp.c (working copy) @@ -46,6 +46,7 @@ BIO_printf(bio, "%s%s%s HTTP/1.0\r\n" "Host: %s:%d\r\n" "Content-Type: application/ocsp-request\r\n" + "Connection: close\r\n" "Content-Length: %d\r\n" "\r\n", uri->path ? uri->path : "/", -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64135] OCSP Stapling doesn't handle Keep-Alive responses properly, causing delays/timeouts
https://bz.apache.org/bugzilla/show_bug.cgi?id=64135 --- Comment #1 from Giovanni Bechis --- Created attachment 37011 --> https://bz.apache.org/bugzilla/attachment.cgi?id=37011&action=edit Possible fix A possible fix could be to force a connection closure as soon as a correct reply from the OCSP server has arrived, not sure if it's done in the correct code-path anyway. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
