Hello,
I am working with OCSP and SSL Stapling and I want to know if this case is
working as expected.
I am trying to connect to Apache and I have a certificate that is revoked
from the OCSP server. The OCSP server is responding as Revoked, but the
connection is not getting rejected. This is a case where I would suspect
that the connection should be rejected because the certificate is revoked,
but it is not happening.
Does anyone have experience with OCSP and SSL Stapling and is this
configured correctly?
Configuration:
Apache 2.4.57
OpenSSL 3.0.8
SSLOCSPEnable on
SSLOCSPDefaultResponder http://x.x.x.x:41233
SSLOCSPOverrideResponder on
Logs:
[Thu Apr 13 10:42:14.734750 2023] [ssl:debug] [pid 1812:tid
139698106267200] ssl_util_ocsp.c(97): [client x.x.x.x:60742] AH01973:
connecting to OCSP responder ‘x.x.x.x:41233'
[Thu Apr 13 10:42:14.734815 2023] [ssl:debug] [pid 1812:tid
139698106267200] ssl_util_ocsp.c(125): [client x.x.x.x:60742] AH01975:
sending request to OCSP responder
[Thu Apr 13 10:42:14.739728 2023] [ssl:debug] [pid 1812:tid
139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP
response header: Content-type: application/ocsp-response
[Thu Apr 13 10:42:14.739751 2023] [ssl:debug] [pid 1812:tid
139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP
response header: Content-Length: 2273
[Thu Apr 13 10:42:14.739756 2023] [ssl:debug] [pid 1812:tid
139698106267200] ssl_util_ocsp.c(283): [client x.x.x.x:60742] AH01987: OCSP
response: got 2273 bytes, 2273 total
[Thu Apr 13 10:42:14.741198 2023] [ssl:debug] [pid 1812:tid
139698106267200] ssl_util_stapling.c(575): AH01942:
stapling_renew_response: query response received
[Thu Apr 13 10:42:14.741644 2023] [ssl:error] [pid 1812:tid
139698106267200] AH02969: stapling_check_response: response has certificate
status revoked (reason: n/a) for serial number xxxx
——————————————————————————
Quintin Ash | Senior Software Engineer
Tenable Network Security
7021 Columbia Gateway Drive, Suite 500
Columbia, MD 21046
qash@tenable.com
W: 443-545-2101 ext. 472
tenable.com <http://www.tenable.com/>
I am working with OCSP and SSL Stapling and I want to know if this case is
working as expected.
I am trying to connect to Apache and I have a certificate that is revoked
from the OCSP server. The OCSP server is responding as Revoked, but the
connection is not getting rejected. This is a case where I would suspect
that the connection should be rejected because the certificate is revoked,
but it is not happening.
Does anyone have experience with OCSP and SSL Stapling and is this
configured correctly?
Configuration:
Apache 2.4.57
OpenSSL 3.0.8
SSLOCSPEnable on
SSLOCSPDefaultResponder http://x.x.x.x:41233
SSLOCSPOverrideResponder on
Logs:
[Thu Apr 13 10:42:14.734750 2023] [ssl:debug] [pid 1812:tid
139698106267200] ssl_util_ocsp.c(97): [client x.x.x.x:60742] AH01973:
connecting to OCSP responder ‘x.x.x.x:41233'
[Thu Apr 13 10:42:14.734815 2023] [ssl:debug] [pid 1812:tid
139698106267200] ssl_util_ocsp.c(125): [client x.x.x.x:60742] AH01975:
sending request to OCSP responder
[Thu Apr 13 10:42:14.739728 2023] [ssl:debug] [pid 1812:tid
139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP
response header: Content-type: application/ocsp-response
[Thu Apr 13 10:42:14.739751 2023] [ssl:debug] [pid 1812:tid
139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP
response header: Content-Length: 2273
[Thu Apr 13 10:42:14.739756 2023] [ssl:debug] [pid 1812:tid
139698106267200] ssl_util_ocsp.c(283): [client x.x.x.x:60742] AH01987: OCSP
response: got 2273 bytes, 2273 total
[Thu Apr 13 10:42:14.741198 2023] [ssl:debug] [pid 1812:tid
139698106267200] ssl_util_stapling.c(575): AH01942:
stapling_renew_response: query response received
[Thu Apr 13 10:42:14.741644 2023] [ssl:error] [pid 1812:tid
139698106267200] AH02969: stapling_check_response: response has certificate
status revoked (reason: n/a) for serial number xxxx
——————————————————————————
Quintin Ash | Senior Software Engineer
Tenable Network Security
7021 Columbia Gateway Drive, Suite 500
Columbia, MD 21046
qash@tenable.com
W: 443-545-2101 ext. 472
tenable.com <http://www.tenable.com/>