El lun, 17 abr 2023 a las 17:29, Quintin Ash (<q...@tenable.com>) escribió:
> Hello, > > > I am working with OCSP and SSL Stapling and I want to know if this case is > working as expected. > > > I am trying to connect to Apache and I have a certificate that is revoked > from the OCSP server. The OCSP server is responding as Revoked, but the > connection is not getting rejected. This is a case where I would suspect > that the connection should be rejected because the certificate is revoked, > but it is not happening. > > > Does anyone have experience with OCSP and SSL Stapling and is this > configured correctly? > > > Configuration: > > Apache 2.4.57 > > OpenSSL 3.0.8 > > > SSLOCSPEnable on > > SSLOCSPDefaultResponder http://x.x.x.x:41233 > > SSLOCSPOverrideResponder on > > > Logs: > > [Thu Apr 13 10:42:14.734750 2023] [ssl:debug] [pid 1812:tid > 139698106267200] ssl_util_ocsp.c(97): [client x.x.x.x:60742] AH01973: > connecting to OCSP responder ‘x.x.x.x:41233' > > [Thu Apr 13 10:42:14.734815 2023] [ssl:debug] [pid 1812:tid > 139698106267200] ssl_util_ocsp.c(125): [client x.x.x.x:60742] AH01975: > sending request to OCSP responder > > [Thu Apr 13 10:42:14.739728 2023] [ssl:debug] [pid 1812:tid > 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP > response header: Content-type: application/ocsp-response > > [Thu Apr 13 10:42:14.739751 2023] [ssl:debug] [pid 1812:tid > 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP > response header: Content-Length: 2273 > > [Thu Apr 13 10:42:14.739756 2023] [ssl:debug] [pid 1812:tid > 139698106267200] ssl_util_ocsp.c(283): [client x.x.x.x:60742] AH01987: OCSP > response: got 2273 bytes, 2273 total > > [Thu Apr 13 10:42:14.741198 2023] [ssl:debug] [pid 1812:tid > 139698106267200] ssl_util_stapling.c(575): AH01942: > stapling_renew_response: query response received > > [Thu Apr 13 10:42:14.741644 2023] [ssl:error] [pid 1812:tid > 139698106267200] AH02969: stapling_check_response: response has certificate > status revoked (reason: n/a) for serial number xxxx > > —————————————————————————— > > > > In the information you provide you are at least missing the Location with: SSLVerifyclient require Do you have that? -- Daniel Ferradal HTTPD Project #httpd help at Libera.Chat