httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hajo Locke <Hajo.Lo...@gmx.de>
Subject Re: [users@httpd] ssl stapling error - sectigo
Date Thu, 25 Apr 2019 14:29:17 GMT
Hello,

thanks to Tom, who informed me offlist about this. It seems that problem
was triggered by some kind of maintenance.
https://sectigo.status.io/pages/history/5938a0dbef3e6af26b001921#

Currently it is working again for us.

Such unexpected problems with ocsp-urls are really annying for visitors
and admins, only possibility is to deactivate ssl-stapling. We had
really slow webpages and also complete page load errors.
Is it possible to change the way the validation-process is included into
request-process? delivery speed of website should not be affected by
ocsp problems.
Tom an I would be happy to have a fix in this case ;)

Thanks,
Hajo


Am 25.04.2019 um 11:43 schrieb Hajo Locke:
> Hello,
>
> Am 25.04.2019 um 09:51 schrieb Stefan Eissing:
>>
>>> Am 24.04.2019 um 16:22 schrieb Hajo Locke <Hajo.Locke@gmx.de>:
>>>
>>> Hello List,
>>>
>>> Apache is 2.4.39, System is Ubuntu 18.04 and 16.04
>>>
>>> since yesterday evening we have massive mod_ssl problems with ssl
>>> stapling:
>>>
>>> Apr 24 11:20:59 myhostname apache2[16094]: [ssl:error] [pid 16094]
>>> AH01941: stapling_renew_response: responder error
>>>
>>> We had complaints about slow webpages, this forced us to deactivate
>>> stapling on all our servers.
>> Sorry to hear that.
>>
>>> Affected are certificates of sectigo (previously comodo) with ocsp-url
>>> http://ocsp.sectigo.com
>>> I cant confirm for other providers, we use comodo/sectigo the most.
>>>
>>> But it seems there is no basic problem on our system/network because i
>>> can manually confirm ocsp status with openssl on affected machines:
>>>
>>> # openssl ocsp -issuer bundle -cert crt -url http://ocsp.sectigo.com
>>> WARNING: no nonce in response
>>> Response verify OK
>>> crt: good
>>>          This Update: Apr 22 12:46:48 2019 GMT
>>>          Next Update: Apr 26 12:46:48 2019 GMT
>>>
>>> I try to figure out on which side problem is. We use basic sslstapling
>>> directives in /etc/apache2/mods-enabled/ssl.conf
>>> this is unchanged for months
>>>
>>> SSLUseStapling On
>>> SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(2560000)
>>> SSLStaplingResponderTimeout 5
>>> SSLStaplingReturnResponderErrors off
>>>
>>> Is there somebody who can confirm this behaviour and explain what
>>> happens?
>> AFIK, there have been no (intentional) changes regarding OCSP
>> stapling in recent versions. Are you doing the openssl test on the
>> same machine that the affected servers run?
>
> Yes, same server. Apachelog produces the stapling errors, manually
> confirmation with openssl works.
> Today it seems the problems are over, but we are afraid of reenabling it.
> Main problem vor websiteowner/visitors  is a significat noticable delay
> when requesting a site. I think the ocsp stapling process is included in
> requestprocess and lags the whole process if ocsp url is not acting like
> expected.
> Unfortunately i have no technical contact at sectigo who could
> reestablish my trust into ssl-stapling.
>>
>> - Stefan
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
> Thanks,
> Hajo
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message