Bug 1724034

Summary: Unexpected OCSP in proxy SSL connection
Product: Red Hat Enterprise Linux 7 Reporter: Hisanobu Okuda <hokuda>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Maryna Nalbandian <mnalband>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: bgollahe, bnater, jorton, luhliari, pdwyer
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1744120 1744121 (view as bug list) Environment:
Last Closed: 2020-03-31 20:03:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1716962, 1744120, 1744121    
Attachments:
Description Flags
untarme.tgz none

Description Hisanobu Okuda 2019-06-26 06:03:55 UTC 
Description of problem:
When SSLOCSPEnable is not set and a backend server certificate has OCSP URI in AIA:

# openssl x509 -text -in /certs/newcert.pem | less
       ...
            Authority Information Access: 
                OCSP - URI:http://ocsp.hogesystems.com

OCSP access happens. If a proxy/httpd can not resolve the hostname. The error message appears in error_log:

[Wed Jun 26 05:47:41.650839 2019] [ssl:error] [pid 5054] (EAI 2)Name or service not known: [remote ::1:443] AH01972: could not resolve address of OCSP responde
r ocsp.hogesystems.com


Version-Release number of selected component (if applicable):

mod_ssl-2.4.6-89.el7_6.x86_64
httpd-2.4.6-89.el7_6.x86_64

How reproducible:


Steps to Reproduce:
1. install httpd and mod_ssl-2.4.6-89.el7_6
2. untar untar.tgz

# cd /
# tar xvf untar.tgz

3. restart httpd
4. curl http://localhost/proxy/

Actual results:
OCSP access is done.

Expected results:
OCSP access is not done.

Additional info:

This issue is caused by the code change http://pkgs.devel.redhat.com/cgit/rpms/httpd/commit/?h=rhel-7.6&id=570d29014d0f53ed9670069d2d8bcfc4d187a279 as a fix for BZ https://bugzilla.redhat.com/show_bug.cgi?id=1548501

If SSLOCSPEnable is not set, sc->server->ocsp_mask is "UNSET" = (-1) in ssl_callback_SSLVerify. -1 is 11111111111111111111111111111111 in binary:

(gdb) frame
#4  0x00007fbf5b3fc22f in ssl_callback_SSLVerify (ok=<optimized out>, ctx=0x7ffdff7b27e0) at ssl_engine_kernel.c:1433
/usr/src/debug/httpd-2.4.6/modules/ssl/ssl_engine_kernel.c:1433:53438:beg:0x7fbf5b3fc22f
(gdb) p/t sc.server.ocsp_mask
$6 = 11111111111111111111111111111111
(gdb) p/t SSL_OCSPCHECK_CHAIN
$7 = 10

Therefore, if ssl_verify_error_is_optional(errnum) == false, OCSP request will be tried at the line 1433 in ssl_engine_kernel.c

1419     if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
1420          (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {
1421         /* If there was an optional verification error, it's not
1422          * possible to perform OCSP validation since the issuer may be
1423          * missing/untrusted.  Fail in that case. */
1424         if (ssl_verify_error_is_optional(errnum)) {
1425             X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
1426             errnum = X509_V_ERR_APPLICATION_VERIFICATION;
1427             ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, APLOGNO(02038)
1428                           "cannot perform OCSP validation for cert "
1429                           "if issuer has not been verified "
1430                           "(optional_no_ca configured)");
1431             ok = FALSE;
1432         } else {
1433             ok = modssl_verify_ocsp(ctx, sc, s, conn, conn->pool);
1434             if (!ok) {
1435                 errnum = X509_STORE_CTX_get_error(ctx);
1436             }
1437         }
1438     }


Need a code to set it to SSL_OCSPCHECK_NONE (which should be default) when it is not specified.
Comment 2 Hisanobu Okuda 2019-06-26 06:04:52 UTC 
Created attachment 1584605 [details]
untarme.tgz
Comment 3 Hisanobu Okuda 2019-06-27 00:11:20 UTC 
The ocsp_mask's initial value should be SSL_OCSPCHECK_NONE:

[root@e5018ace4173 ssl]# diff -u ssl_engine_config.c.org ssl_engine_config.c
--- ssl_engine_config.c.org     2019-06-27 00:07:25.590004085 +0000
+++ ssl_engine_config.c 2019-06-27 00:09:15.764960120 +0000
@@ -130,7 +130,7 @@
     mctx->auth.verify_depth   = UNSET;
     mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
 
-    mctx->ocsp_mask           = UNSET;
+    mctx->ocsp_mask           = SSL_OCSPCHECK_NONE;
     mctx->ocsp_force_default  = FALSE;
     mctx->ocsp_responder      = NULL;
     mctx->ocsp_resptime_skew  = UNSET;
[root@e5018ace4173 ssl]#
Comment 13 errata-xmlrpc 2020-03-31 20:03:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1121