[Bug 63171] New: SSLProxy: SSLOCSPResponderCertificateFile not loaded on HTTP to HTTPS proxy

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 63171] New: SSLProxy: SSLOCSPResponderCertificateFile not loaded on HTTP to HTTPS proxy

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63171

            Bug ID: 63171
           Summary: SSLProxy: SSLOCSPResponderCertificateFile not loaded
                    on HTTP to HTTPS proxy
           Product: Apache httpd-2
           Version: 2.4.38
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Created attachment 36434
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36434&action=edit
Patch against tag 2.4.38

I have configured an Apache HTTP server as outgoing proxy in order to connect
to an external system using Mutual TLS. I use the SSLProxyEngine to facilitate
this configuration. For the time being, this proxy listens on HTTP. The
external system uses a Comodo-issued certificate. Comodo’s OCSP responder does
not send its certificate, since the OCSP response is signed with the same
certificate as the server certificate. This makes the default OCSP validation
fail.

In order to provide the responder’s certificate to OpenSSL, I have configured a
SSLOCSPResponderCertificateFile in the relevant VirtualHost. However, in this
HTTP to HTTPS setup, the file is never read/used.

I looked at mod_ssl’s sources and observed that the OCSP trusted certificates
are loaded in ssl_util_ocsp.c/ssl_init_ocsp_certificates. This method is
however never called in proxy configuration (see
ssl_engine_init.c/ssl_init_ConfigureServer).

I discovered this problem on an Apachehaus 2.4.37 build for Windows. I
reproduced it on a build from source using 2.4.38 and a AWS Ubuntu 18.04 VM.

Reproduction with 2.4.38:
- ./configure --enable-proxy --enable-ssl --prefix=/opt/apache2
- Copy attached trusted-ca.pem to conf/ssl
- httpd.conf:
    - Enable mod_proxy.so, mod_proxy_http.so, mod_ssl.so
    - Add virtual host below

<VirtualHost *:80>
  LogLevel ssl:trace5

  SSLProxyEngine On
  SSLProxyProtocol -all +TLSv1.2

  # Verify remote server certificate
  SSLProxyVerify require
  SSLProxyVerifyDepth 2

  # Comodo responder does not accept nonce
  SSLOCSPUseRequestNonce off

  # Certificate chain
  SSLProxyCACertificateFile conf/ssl/trusted-ca.pem
  SSLOCSPResponderCertificateFile conf/ssl/trusted-ca.pem

  ProxyPass / https://oneton.nl/
</VirtualHost>

- Start the server
- curl http://localhost/
- The server returns a 500 error
- Check the error log. It does not mention “Configuring Trusted OCSP
certificates” (which is the debug logging output for
ssl_util_ocsp.c/ssl_init_ocsp_certificates)

- Apply attached patch to 2.4.38 source directory
(modules/ssl/ssl_engine_init.c)
- Build and install
- Try again, the page is loaded and the error log shows that:
  - Certificates are loaded
  - OCSP lookup succeeds

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63171] SSLProxy: SSLOCSPResponderCertificateFile not loaded on HTTP to HTTPS proxy

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63171

--- Comment #1 from Anton Tieleman <[hidden email]> ---
Created attachment 36435
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36435&action=edit
CA file for testing (Comodo RSA root + intermediate)

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63171] SSLProxy: SSLOCSPResponderCertificateFile not loaded on HTTP to HTTPS proxy

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63171

Christophe JAILLET <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]