Bug#933129: apache2: OCSP stapling poorly handled, yielding trylater errors in the client
On 2019-09-26 23:40:45 +0200, Vincent Lefevre wrote:
> Control: found -1 2.4.38-3+deb10u1
>
> On 2019-07-26 22:30:00 +0200, Vincent Lefevre wrote:
> > I sometimes get SEC_ERROR_OCSP_TRY_SERVER_LATER errors in Firefox
> > when I connect to my web server. The apache log shows errors like
> >
> > [Fri Jul 26 20:01:31.355081 2019] [ssl:error] [pid 13552:tid 139871725876992] [client 207.46.13.73:1928] AH02321: empty response from OCSP server
> > [Fri Jul 26 20:01:31.366890 2019] [ssl:error] [pid 13552:tid 139871725876992] [client 207.46.13.73:1928] AH01980: bad response from OCSP server: (none)
> > [Fri Jul 26 20:01:31.366961 2019] [ssl:error] [pid 13552:tid 139871725876992] AH01941: stapling_renew_response: responder error
>
> This still occurs. And when it does, I need to restart apache2.
This may be one of the following upstream bugs:
https://bz.apache.org/bugzilla/show_bug.cgi?id=57121
"ocsp stapling should not pass temporary server outages to clients"
https://bz.apache.org/bugzilla/show_bug.cgi?id=61453
"OCSP Stapling: SSLStaplingFakeTryLater responses cached too long"
https://bz.apache.org/bugzilla/show_bug.cgi?id=61531
"SSLStaplingReturnResponderErrors should return last cached response
if is an error upstream"
The second one has a link to a very simple patch, in case this is
related.
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: