Bug 971861

Summary: Multiple Issues with OCSP
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Eric Rich <erich>
Component: httpdAssignee: Weinan Li <weli>
Status: CLOSED CURRENTRELEASE QA Contact: Libor Fuka <lfuka>
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: jawilson, jdoyle, lfuka, mhasko, mhusnain, myarboro, pslavice, rsvoboda, weli
Target Milestone: ---   
Target Release: 2.0.1   
Hardware: Unspecified   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
OCSP (mod_ssl) mishandles responses for responders in specific situations. For example, if a responder sends NULL or blank data but does not close the connection, mod_ssl unexpectedly ends the response. Further information about this issue is available at <ulink url="http://openssl.6102.n7.nabble.com/Decoding-OCSP-response-data-ASN1-D2I-READ-BIO-not-enough-data-td24437.html"/> Additionally, OCSP does not work as expected when used in conjunction with an intermediate CA (Certification Authority), for example when a CA is used for Apache configuration. Further information about this issue is available at <ulink url="https://issues.apache.org/bugzilla/show_bug.cgi?id=46037"/> As a result of these problems, cretin OCSP responders do not work as expected with JBoss Enterprise Web Server and intermediary CAs also do not work as expected. These problems are fixed in JBoss Enterprise Web Server 2.0.1 using a patch. As a result of the fix, third party OCSP responders and intermediary CAs work as expected with JBoss Enterprise Web Server.
 Story Points: ---
Clone Of:
: 972040 987851 1012925 (view as bug list) Environment:
Last Closed: 2014-01-03 12:58:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 972040, 987851, 1012925    
Attachments:
Description Flags
Full diff for patch
none
Test build none

Description Eric Rich 2013-06-07 12:55:29 UTC 
Created attachment 758152 [details]
Full diff for patch

Description of problem:

OCSP (mod_ssl) does not properly handle responses properly to some responders.
   - If a responder sends null or blank data (but dose not close the connection)
     mod_ssl simply ends the response. 
   Issue best described by: http://openssl.6102.n7.nabble.com/Decoding-OCSP-response-data-ASN1-D2I-READ-BIO-not-enough-data-td24437.html

OCSP also does not work with an intermediate CA is in place (for Apache configuration)  

   Issue best described by: https://issues.apache.org/bugzilla/show_bug.cgi?id=46037


Diff is attached for both issues as well as fixed the init script handling 
   (it was changing files in the source directory which is really bad RPM practice).
Comment 1 Eric Rich 2013-06-07 12:56:51 UTC 
Created attachment 758153 [details]
Test build

Also attaching test build of the patch.
Comment 2 Misha H. Ali 2013-06-10 05:03:58 UTC 
Is this a late addition for the JBEWS 2.0.1 release notes? Drafting a release note if this is the case. If not, please correct me.

Setting need info for Wei Nan to confirm the above and to ACK the doc text.
Comment 3 Jimmy Wilson 2013-06-11 03:14:04 UTC 
Per Permaine, we're including this for 2.0.1 CR as well.  I'm assuming that's acceptable to all.  Please ACK for inclusion.
Comment 4 Libor Fuka 2013-06-24 06:57:37 UTC 
Verified on EWS 2.0.1 CR3 on Solaris 10,11 (Intel 32,64, SPARC), Windows 2008 (32, 64) and Windows 2008 R2 (64 bit)
Comment 5 Michal Haško 2013-06-26 08:54:13 UTC 
VERIFIED on
 - EWS 2.0.1 CR3 RHEL5 i386 zips
 - EWS 2.0.1 CR3 RHEL5 x86_64 zips
 - EWS 2.0.1 CR3 RHEL6 i386 zips
 - EWS 2.0.1 CR3 RHEL6 x86_64 zips
 - httpd-2.2.22-23.ep6.el5.src.rpm
 - httpd-2.2.22-23.ep6.el6.src.rpm
Comment 6 Libor Fuka 2013-06-28 07:50:26 UTC 
*** Bug 972040 has been marked as a duplicate of this bug. ***
Comment 8 Libor Fuka 2013-09-27 06:31:40 UTC 
It was built for RHEL6 EWS 2.0.1.
Comment 9 Eric Rich 2013-09-27 11:51:27 UTC 
Closing (and moving to https://bugzilla.redhat.com/show_bug.cgi?id=1012925)