Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Users
Re: [EXTERNAL] Re: [users@httpd] OCSP Stapling Configuration Setup
qash at tenable
Apr 17, 2023, 12:18 PM
Post #1 of 5 (251 views)
Permalink
Yes I have that as well
SSLVerifyClient require
SSLVerifyDepth 10

I also have FIPS enabled (not sure if that matters).

——————————————————————————




Quintin Ash | Senior Software Engineer

Tenable Network Security

7021 Columbia Gateway Drive, Suite 500

Columbia, MD 21046

qash@tenable.com

W: 443-545-2101 ext. 472

tenable.com <http://www.tenable.com/>


On Mon, Apr 17, 2023 at 1:51?PM Daniel Ferradal <dferradal@apache.org>
wrote:

>
>
> **** CAUTION: This email was sent from an EXTERNAL source. Think before
> clicking links or opening attachments. ****
> ------------------------------
> El lun, 17 abr 2023 a las 17:29, Quintin Ash (<qash@tenable.com>)
> escribió:
>
>> Hello,
>>
>>
>> I am working with OCSP and SSL Stapling and I want to know if this case
>> is working as expected.
>>
>>
>> I am trying to connect to Apache and I have a certificate that is revoked
>> from the OCSP server. The OCSP server is responding as Revoked, but the
>> connection is not getting rejected. This is a case where I would suspect
>> that the connection should be rejected because the certificate is revoked,
>> but it is not happening.
>>
>>
>> Does anyone have experience with OCSP and SSL Stapling and is this
>> configured correctly?
>>
>>
>> Configuration:
>>
>> Apache 2.4.57
>>
>> OpenSSL 3.0.8
>>
>>
>> SSLOCSPEnable on
>>
>> SSLOCSPDefaultResponder http://x.x.x.x:41233
>>
>> SSLOCSPOverrideResponder on
>>
>>
>> Logs:
>>
>> [Thu Apr 13 10:42:14.734750 2023] [ssl:debug] [pid 1812:tid
>> 139698106267200] ssl_util_ocsp.c(97): [client x.x.x.x:60742] AH01973:
>> connecting to OCSP responder ‘x.x.x.x:41233'
>>
>> [Thu Apr 13 10:42:14.734815 2023] [ssl:debug] [pid 1812:tid
>> 139698106267200] ssl_util_ocsp.c(125): [client x.x.x.x:60742] AH01975:
>> sending request to OCSP responder
>>
>> [Thu Apr 13 10:42:14.739728 2023] [ssl:debug] [pid 1812:tid
>> 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP
>> response header: Content-type: application/ocsp-response
>>
>> [Thu Apr 13 10:42:14.739751 2023] [ssl:debug] [pid 1812:tid
>> 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP
>> response header: Content-Length: 2273
>>
>> [Thu Apr 13 10:42:14.739756 2023] [ssl:debug] [pid 1812:tid
>> 139698106267200] ssl_util_ocsp.c(283): [client x.x.x.x:60742] AH01987: OCSP
>> response: got 2273 bytes, 2273 total
>>
>> [Thu Apr 13 10:42:14.741198 2023] [ssl:debug] [pid 1812:tid
>> 139698106267200] ssl_util_stapling.c(575): AH01942:
>> stapling_renew_response: query response received
>>
>> [Thu Apr 13 10:42:14.741644 2023] [ssl:error] [pid 1812:tid
>> 139698106267200] AH02969: stapling_check_response: response has certificate
>> status revoked (reason: n/a) for serial number xxxx
>>
>> ——————————————————————————
>>
>>
>>
>>
>
>
> In the information you provide you are at least missing the Location with:
>
> SSLVerifyclient require
>
> Do you have that?
>
>
> --
> Daniel Ferradal
> HTTPD Project
> #httpd help at Libera.Chat
>
Re: Re: [EXTERNAL] Re: [users@httpd] OCSP Stapling Configuration Setup [ In reply to ]
dferradal at apache
Apr 18, 2023, 4:15 PM
Post #2 of 5 (251 views)
Permalink
El lun, 17 abr 2023 a las 21:19, Quintin Ash (<qash@tenable.com>) escribió:

> Yes I have that as well
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> I also have FIPS enabled (not sure if that matters).
>
>
>
>>
Well, it should be working if everything is in the right place.

Increase debug level to trace7 and check the mod_ssl traces to see what is
really going on.

You can do this with LogLevel ssl:trace7

It is a good practice to share the configuration you have within its own
context, you can see what you really have, we can't. As in, you could have
SSLVerifyClient require in a path and the request going for another and
then that directive having no effect, etc.

Also turn "SSLOCSPOverrideResponder off" for these tests.


--
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat
Re: Re: [EXTERNAL] Re: [users@httpd] OCSP Stapling Configuration Setup [ In reply to ]
qash at tenable
Apr 24, 2023, 8:32 AM
Post #3 of 5 (248 views)
Permalink
Thanks Daniel! I have that enabled. Here are all relevant settings below:
SSLVerifyClient require
SSLVerifyDepth 10
SSLOCSPEnable on
SSLOCSPDefaultResponder http://x.x.x.x:41233
SSLPassPhraseDialog builtin
SSLSessionCache "dbm:/xx/logs/ssl_scache"
SSLSessionCacheTimeout 300
SSLStaplingCache "dbm:/xx/logs/ssl_staplingcache"
SSLFIPS on
SSLOCSPOverrideResponder off
SSLStaplingReturnResponderErrors on

I have added tracing and see that the OCSP is revoked. I guess my question
is, if the certificate is revoked, should Apache deny access to the
website? Because it is still allowing access even though the OCSP server
mentions that it's revoked.

[Mon Apr 24 10:28:03.720807 2023] [ssl:trace3] [pid 211328:tid
140542335710784] ssl_engine_kernel.c(2213): [client xx.xx.xx.xx:53049]
OpenSSL: Loop: before SSL initialization
[Mon Apr 24 10:28:03.720819 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_engine_kernel.c(2425): [client xx.xx.xx.xx:53049]
AH02645: Server name not provided via TLS extension (using default/first
virtual host)
[Mon Apr 24 10:28:03.720947 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_stapling.c(826): AH01951: stapling_cb: OCSP
Stapling callback called
[Mon Apr 24 10:28:03.720961 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_stapling.c(866): AH01952: stapling_cb: retrieved
cached certificate data
[Mon Apr 24 10:28:03.721053 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_stapling.c(341): AH01930:
stapling_get_cached_response: cache miss
[Mon Apr 24 10:28:03.721059 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_stapling.c(875): AH01954: stapling_cb: renewing
cached response
[Mon Apr 24 10:28:03.721080 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_stapling.c(341): AH01930:
stapling_get_cached_response: cache miss
[Mon Apr 24 10:28:03.721088 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_stapling.c(897): AH03238: stapling_cb: still must
refresh cached response after obtaining refresh mutex
[Mon Apr 24 10:28:03.721092 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_stapling.c(502): AH01938:
stapling_renew_response: querying responder
[Mon Apr 24 10:28:03.721196 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_ocsp.c(97): [client xx.xx.xx.xx:53049] AH01973:
connecting to OCSP responder 'xx.xx.xx.xx:41233'
[Mon Apr 24 10:28:03.721257 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_ocsp.c(125): [client xx.xx.xx.xx:53049] AH01975:
sending request to OCSP responder
[Mon Apr 24 10:28:03.726650 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_ocsp.c(235): [client xx.xx.xx.xx:53049] AH01981:
OCSP response header: Content-type: application/ocsp-response
[Mon Apr 24 10:28:03.726669 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_ocsp.c(235): [client xx.xx.xx.xx:53049] AH01981:
OCSP response header: Content-Length: 2273
[Mon Apr 24 10:28:03.726674 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_ocsp.c(283): [client xx.xx.xx.xx:53049] AH01987:
OCSP response: got 2273 bytes, 2273 total
[Mon Apr 24 10:28:03.728109 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_stapling.c(575): AH01942:
stapling_renew_response: query response received
[Mon Apr 24 10:28:03.728502 2023] [ssl:error] [pid 211328:tid
140542335710784] AH02969: stapling_check_response: response has certificate
status revoked (reason: n/a) for serial number 1001
[Mon Apr 24 10:28:03.728530 2023] [ssl:error] [pid 211328:tid
140542335710784] AH01929: stapling_cache_response: OCSP response session
store error!
[Mon Apr 24 10:28:03.728535 2023] [ssl:error] [pid 211328:tid
140542335710784] AH01945: stapling_renew_response: error caching response!
[Mon Apr 24 10:28:03.728541 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_stapling.c(905): AH03040: stapling_cb: success
renewing response
[Mon Apr 24 10:28:03.728545 2023] [ssl:debug] [pid 211328:tid
140542335710784] ssl_util_stapling.c(917): AH01956: stapling_cb: setting
response
[Mon Apr 24 10:28:03.728559 2023] [ssl:trace3] [pid 211328:tid
140542335710784] ssl_engine_kernel.c(2213): [client xx.xx.xx.xx:53049]
OpenSSL: Loop: SSLv3/TLS read client hello
[Mon Apr 24 10:28:03.728739 2023] [ssl:trace3] [pid 211328:tid
140542335710784] ssl_engine_kernel.c(2213): [client xx.xx.xx.xx:53049]
OpenSSL: Loop: SSLv3/TLS write server hello
[Mon Apr 24 10:28:03.728790 2023] [ssl:trace3] [pid 211328:tid
140542335710784] ssl_engine_kernel.c(2213): [client xx.xx.xx.xx:53049]
OpenSSL: Loop: SSLv3/TLS write change cipher spec
[Mon Apr 24 10:28:03.728802 2023] [ssl:trace3] [pid 211328:tid
140542335710784] ssl_engine_kernel.c(2213): [client xx.xx.xx.xx:53049]
OpenSSL: Loop: TLSv1.3 write encrypted extensions
[Mon Apr 24 10:28:03.728817 2023] [ssl:trace3] [pid 211328:tid
140542335710784] ssl_engine_kernel.c(2213): [client xx.xx.xx.xx:53049]
OpenSSL: Loop: SSLv3/TLS write certificate request
[Mon Apr 24 10:28:03.729100 2023] [ssl:trace6] [pid 211328:tid
140542335710784] ssl_engine_io.c(218): [client xx.xx.xx.xx:53049]
bio_filter_out_write: 4096 bytes

——————————————————————————




Quintin Ash | Senior Software Engineer

Tenable Network Security

7021 Columbia Gateway Drive, Suite 500

Columbia, MD 21046

qash@tenable.com

W: 443-545-2101 ext. 472

tenable.com <http://www.tenable.com/>


On Tue, Apr 18, 2023 at 7:21?PM Daniel Ferradal <dferradal@apache.org>
wrote:

>
>
> **** CAUTION: This email was sent from an EXTERNAL source. Think before
> clicking links or opening attachments. ****
> ------------------------------
> El lun, 17 abr 2023 a las 21:19, Quintin Ash (<qash@tenable.com>)
> escribió:
>
>> Yes I have that as well
>> SSLVerifyClient require
>> SSLVerifyDepth 10
>>
>> I also have FIPS enabled (not sure if that matters).
>>
>>
>>
>>>
> Well, it should be working if everything is in the right place.
>
> Increase debug level to trace7 and check the mod_ssl traces to see what is
> really going on.
>
> You can do this with LogLevel ssl:trace7
>
> It is a good practice to share the configuration you have within its own
> context, you can see what you really have, we can't. As in, you could have
> SSLVerifyClient require in a path and the request going for another and
> then that directive having no effect, etc.
>
> Also turn "SSLOCSPOverrideResponder off" for these tests.
>
>
> --
> Daniel Ferradal
> HTTPD Project
> #httpd help at Libera.Chat
>
Re: Re: [EXTERNAL] Re: [users@httpd] OCSP Stapling Configuration Setup [ In reply to ]
covener at gmail
Apr 24, 2023, 9:33 AM
Post #4 of 5 (248 views)
Permalink
>
> I have added tracing and see that the OCSP is revoked. I guess my question
> is, if the certificate is revoked, should Apache deny access to the
> website? Because it is still allowing access even though the OCSP server
> mentions that it's revoked.
>

Is there anything in the docs that implies OCSP stapling does anything but
staple the OCSP response so the client can see it?

Did it get added as an extension in the handshake or not?
Re: Re: [EXTERNAL] Re: [users@httpd] OCSP Stapling Configuration Setup [ In reply to ]
qash at tenable
May 3, 2023, 9:12 AM
Post #5 of 5 (242 views)
Permalink
Nothing that I could find in the documentation says that the OCSP stapling
does anything outside of that. The OCSP server will add that status to the
handshake / response. I guess is there a way to check that OCSP response
status in Apache and manually block this based on it?

——————————————————————————




Quintin Ash | Senior Software Engineer

Tenable Network Security

7021 Columbia Gateway Drive, Suite 500

Columbia, MD 21046

qash@tenable.com

W: 443-545-2101 ext. 472

tenable.com <http://www.tenable.com/>


On Mon, Apr 24, 2023 at 12:41?PM Eric Covener <covener@gmail.com> wrote:

> **** CAUTION: This email was sent from an EXTERNAL source. Think before
>> clicking links or opening attachments. ****
>> ------------------------------
>> I have added tracing and see that the OCSP is revoked. I guess my
>> question is, if the certificate is revoked, should Apache deny access to
>> the website? Because it is still allowing access even though the OCSP
>> server mentions that it's revoked.
>>
>
> Is there anything in the docs that implies OCSP stapling does anything but
> staple the OCSP response so the client can see it?
>
> Did it get added as an extension in the handshake or not?
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal