[Bug 58826] New: OCSP Stapling does not resolve DNS

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 58826] New: OCSP Stapling does not resolve DNS

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58826

            Bug ID: 58826
           Summary: OCSP Stapling does not resolve DNS
           Product: Apache httpd-2
           Version: 2.4.18
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]

I have configured an OCSP responder with OpenSSL 1.0.2d for testing purposes.
In Apache 2.4.18 a have the fallowing configurations:

SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)
SSLStaplingStandardCacheTimeout 60
SSLStaplingForceURL http://127.0.0.1
#SSLStaplingForceURL http://cafe.ro

And in the /etc/hosts file I have:

127.0.0.1       localhost cafe.ro

When the OCSP URL is set to http://127.0.0.1 Apache send OCSP Request messages
so everything seems to be OK.

The problem is that when the OCSP URL is set to http://cafe.ro Apache does not
send OCSP Requests anymore so I assume that it doesn't resolve DNS.

Does anybody know which is the problem??

These errors are from apache error.log

[ssl:error] [pid 12647:tid 139684667709184] (111)Connection refused: [client
127.0.0.1:48742] AH01974: could not connect to OCSP responder 'cafe.ro'
[ssl:error] [pid 12647:tid 139684667709184] AH01941: stapling_renew_response:
responder error

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 58826] OCSP Stapling does not resolve DNS

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58826

[hidden email] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 58826] OCSP Stapling does not resolve DNS

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58826

Szőgyényi Gábor <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 58826] OCSP Stapling does not resolve DNS

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58826

[hidden email] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 58826] OCSP Stapling does not resolve DNS

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58826

--- Comment #1 from Luca Toscano <[hidden email]> ---
Hi Paul,

sorry for the delay. If you still haven't resolved the issue, can you try
setting the loglevel to debug
(https://httpd.apache.org/docs/2.4/mod/core.html#loglevel) to see the result of
this log?

    /* establish a connection to the OCSP responder */
    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01973)
                  "connecting to %s '%s'",
                  proxy_uri ? "proxy" : "OCSP responder",
                  uri->hostinfo);


As far as I can see the cafe.ro should be resolved, and in case of failure you
should have found an error like the following in your logs:

    if (rv) {
        ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01972)
                      "could not resolve address of %s %s",
                      proxy_uri ? "proxy" : "OCSP responder",
                      next_hop_uri->hostinfo);
        return NULL;


Are you sure that cafe.ro is correctly resolving to 127.0.0.1 on your system?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 58826] OCSP Stapling does not resolve DNS

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58826

Luca Toscano <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 58826] OCSP Stapling does not resolve DNS

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58826

ithan <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|[hidden email],          |[hidden email]
                   |[hidden email],          |
                   |[hidden email],        |
                   |[hidden email]      |

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 58826] OCSP Stapling does not resolve DNS

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58826

Joe Orton <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #2 from Joe Orton <[hidden email]> ---
There is nothing obviously wrong with the code, if there is a reproducible
problem with 2.4.43 please reopen and provide the requested debug-level log
output.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]