Bug 1402476

Summary: SSLOCSPEnable setting is not inherited from server config into vhost config
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Robert Bost <rbost>
Component: httpdAssignee: Weinan Li <weli>
Status: CLOSED WONTFIX QA Contact: Michal Karm Babacek <mbabacek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.1.2CC: jdoyle, pslavice, rsvoboda
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-13 12:19:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
potential fix none

Description Robert Bost 2016-12-07 15:56:39 UTC
Created attachment 1229112 [details]
potential fix

Description of problem: When SSLOCSPEnable is set to On in global/server configuration, it is not inherited by VirtualHosts.

Version-Release number of selected component (if applicable): httpd-2.2.26-55.ep6.el6.x86_64

Steps to Reproduce:
This is a simplified reproducer that does not actually perform OCSP check but you can see logging where it at least gets into OCSP code:

1. Install httpd and mod_ssl

2. Add the following configurations in ssl.conf but outside of the VirtualHost. I did have to create a CA and client cert but the Responder URL goes to nowhere.

SSLCACertificateFile /tmp/cacert.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLOCSPEnable On
SSLOCSPDefaultResponder http://localhost:9999/
SSLOCSPOverrideResponder On

3. Send request with a certificate signed by the /tmp/cacert.crt

  # curl -I -E ./cert.crt:test --key ./privkey.key -k https://localhost/
  HTTP/1.1 200 OK

4. The request above succeeds but should not because the OCSP responder is unreachable and cert cannot be validated. 


Additional info:
If I move the configurations inside the VirtualHost, failure happens as expected and SSL handshake is not completed. 

A patch is attached that works for me. Patch was generated for httpd-2.2.26-55.ep6.el6.x86_64