httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Eissing <stefan.eiss...@greenbytes.de>
Subject Re: [users@httpd] ssl stapling error - sectigo
Date Thu, 25 Apr 2019 15:29:46 GMT
There might come up an opportunity in the near future to give
Apache an alternate OCSP stapling implementation. Alternate,
as it is needed for the 2.4.x line. For backward compatibility
reasons, switching strategies must be an opt-in by the user.

I will announce here and on the dev list if/when that should happen
and will be happy to receive feedback on  it.

Cheers, Stefan

> Am 25.04.2019 um 16:29 schrieb Hajo Locke <Hajo.Locke@gmx.de>:
> 
> Hello,
> 
> thanks to Tom, who informed me offlist about this. It seems that problem
> was triggered by some kind of maintenance.
> https://sectigo.status.io/pages/history/5938a0dbef3e6af26b001921#
> 
> Currently it is working again for us.
> 
> Such unexpected problems with ocsp-urls are really annying for visitors
> and admins, only possibility is to deactivate ssl-stapling. We had
> really slow webpages and also complete page load errors.
> Is it possible to change the way the validation-process is included into
> request-process? delivery speed of website should not be affected by
> ocsp problems.
> Tom an I would be happy to have a fix in this case ;)
> 
> Thanks,
> Hajo
> 
> 
> Am 25.04.2019 um 11:43 schrieb Hajo Locke:
>> Hello,
>> 
>> Am 25.04.2019 um 09:51 schrieb Stefan Eissing:
>>> 
>>>> Am 24.04.2019 um 16:22 schrieb Hajo Locke <Hajo.Locke@gmx.de>:
>>>> 
>>>> Hello List,
>>>> 
>>>> Apache is 2.4.39, System is Ubuntu 18.04 and 16.04
>>>> 
>>>> since yesterday evening we have massive mod_ssl problems with ssl
>>>> stapling:
>>>> 
>>>> Apr 24 11:20:59 myhostname apache2[16094]: [ssl:error] [pid 16094]
>>>> AH01941: stapling_renew_response: responder error
>>>> 
>>>> We had complaints about slow webpages, this forced us to deactivate
>>>> stapling on all our servers.
>>> Sorry to hear that.
>>> 
>>>> Affected are certificates of sectigo (previously comodo) with ocsp-url
>>>> http://ocsp.sectigo.com
>>>> I cant confirm for other providers, we use comodo/sectigo the most.
>>>> 
>>>> But it seems there is no basic problem on our system/network because i
>>>> can manually confirm ocsp status with openssl on affected machines:
>>>> 
>>>> # openssl ocsp -issuer bundle -cert crt -url http://ocsp.sectigo.com
>>>> WARNING: no nonce in response
>>>> Response verify OK
>>>> crt: good
>>>>          This Update: Apr 22 12:46:48 2019 GMT
>>>>          Next Update: Apr 26 12:46:48 2019 GMT
>>>> 
>>>> I try to figure out on which side problem is. We use basic sslstapling
>>>> directives in /etc/apache2/mods-enabled/ssl.conf
>>>> this is unchanged for months
>>>> 
>>>> SSLUseStapling On
>>>> SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(2560000)
>>>> SSLStaplingResponderTimeout 5
>>>> SSLStaplingReturnResponderErrors off
>>>> 
>>>> Is there somebody who can confirm this behaviour and explain what
>>>> happens?
>>> AFIK, there have been no (intentional) changes regarding OCSP
>>> stapling in recent versions. Are you doing the openssl test on the
>>> same machine that the affected servers run?
>> 
>> Yes, same server. Apachelog produces the stapling errors, manually
>> confirmation with openssl works.
>> Today it seems the problems are over, but we are afraid of reenabling it.
>> Main problem vor websiteowner/visitors  is a significat noticable delay
>> when requesting a site. I think the ocsp stapling process is included in
>> requestprocess and lags the whole process if ocsp url is not acting like
>> expected.
>> Unfortunately i have no technical contact at sectigo who could
>> reestablish my trust into ssl-stapling.
>>> 
>>> - Stefan
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>> 
>>> 
>> Thanks,
>> Hajo
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>> 
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message