Bug 987851

Summary: Multiple Issues with OCSP
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Ingo Weiss <iweiss>
Component: Apache Server (httpd) and ConnectorsAssignee: Mladen Turk <mturk>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.1CC: bmaxwell, erich, jawilson, jdoyle, mhasko, mhusnain, myarboro, pslavice, rsvoboda, weli
Target Milestone: ER4   
Target Release: EAP 6.1.1   
Hardware: Unspecified   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 971861 Environment:
Last Closed: 2013-09-16 20:30:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 971861, 1012925    
Bug Blocks: 972040    

Description Ingo Weiss 2013-07-24 09:55:33 UTC 
This bug also applies to EAP 6's distributed http packages.

+++ This bug was initially created as a clone of Bug #971861 +++

Description of problem:

OCSP (mod_ssl) does not properly handle responses properly to some responders.
   - If a responder sends null or blank data (but dose not close the connection)
     mod_ssl simply ends the response. 
   Issue best described by: http://openssl.6102.n7.nabble.com/Decoding-OCSP-response-data-ASN1-D2I-READ-BIO-not-enough-data-td24437.html

OCSP also does not work with an intermediate CA is in place (for Apache configuration)  

   Issue best described by: https://issues.apache.org/bugzilla/show_bug.cgi?id=46037


Diff is attached for both issues as well as fixed the init script handling 
   (it was changing files in the source directory which is really bad RPM practice).

--- Additional comment from Eric Rich on 2013-06-07 08:56:51 EDT ---

Also attaching test build of the patch.

--- Additional comment from Misha H. Ali on 2013-06-10 01:03:58 EDT ---

Is this a late addition for the JBEWS 2.0.1 release notes? Drafting a release note if this is the case. If not, please correct me.

Setting need info for Wei Nan to confirm the above and to ACK the doc text.

--- Additional comment from Jimmy Wilson on 2013-06-10 23:14:04 EDT ---

Per Permaine, we're including this for 2.0.1 CR as well.  I'm assuming that's acceptable to all.  Please ACK for inclusion.

--- Additional comment from Libor Fuka on 2013-06-24 02:57:37 EDT ---

Verified on EWS 2.0.1 CR3 on Solaris 10,11 (Intel 32,64, SPARC), Windows 2008 (32, 64) and Windows 2008 R2 (64 bit)

--- Additional comment from Michal Haško on 2013-06-26 04:54:13 EDT ---

VERIFIED on
 - EWS 2.0.1 CR3 RHEL5 i386 zips
 - EWS 2.0.1 CR3 RHEL5 x86_64 zips
 - EWS 2.0.1 CR3 RHEL6 i386 zips
 - EWS 2.0.1 CR3 RHEL6 x86_64 zips
 - httpd-2.2.22-23.ep6.el5.src.rpm
 - httpd-2.2.22-23.ep6.el6.src.rpm

--- Additional comment from Libor Fuka on 2013-06-28 03:50:26 EDT ---
Comment 1 Weinan Li 2013-07-27 10:40:40 UTC 
zips here: https://bugzilla.redhat.com/show_bug.cgi?id=987851
Comment 2 Michal Haško 2013-08-08 09:23:19 UTC 
Only relevant for RPMs, zip httpd is from EWS-2.0.1, which already includes this fix.

VERIFIED during EAP-6.1.1-ER4 testing cycle:
httpd-2.2.22-25.ep6.el5.src.rpm
httpd-2.2.22-25.ep6.el6.src.rpm

The patch is present and applied in srpm.