Bug 971861 - Multiple Issues with OCSP
Multiple Issues with OCSP
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: httpd (Show other bugs)
unspecified
Unspecified All
unspecified Severity high
: ---
: 2.0.1
Assigned To: Weinan Li
Libor Fuka
:
Depends On:
Blocks: 972040 987851 1012925
  Show dependency treegraph
 
Reported: 2013-06-07 08:55 EDT by Eric Rich
Modified: 2014-08-08 00:23 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
OCSP (mod_ssl) mishandles responses for responders in specific situations. For example, if a responder sends NULL or blank data but does not close the connection, mod_ssl unexpectedly ends the response. Further information about this issue is available at <ulink url="http://openssl.6102.n7.nabble.com/Decoding-OCSP-response-data-ASN1-D2I-READ-BIO-not-enough-data-td24437.html"/> Additionally, OCSP does not work as expected when used in conjunction with an intermediate CA (Certification Authority), for example when a CA is used for Apache configuration. Further information about this issue is available at <ulink url="https://issues.apache.org/bugzilla/show_bug.cgi?id=46037"/> As a result of these problems, cretin OCSP responders do not work as expected with JBoss Enterprise Web Server and intermediary CAs also do not work as expected. These problems are fixed in JBoss Enterprise Web Server 2.0.1 using a patch. As a result of the fix, third party OCSP responders and intermediary CAs work as expected with JBoss Enterprise Web Server.
Story Points: ---
Clone Of:
: 972040 987851 1012925 (view as bug list)
Environment:
Last Closed: 2014-01-03 07:58:25 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Full diff for patch (10.15 KB, patch)
2013-06-07 08:55 EDT, Eric Rich
no flags Details | Diff
Test build (177.62 KB, application/x-sharedlib)
2013-06-07 08:56 EDT, Eric Rich
no flags Details

  None (edit)
Description Eric Rich 2013-06-07 08:55:29 EDT
Created attachment 758152 [details]
Full diff for patch

Description of problem:

OCSP (mod_ssl) does not properly handle responses properly to some responders.
   - If a responder sends null or blank data (but dose not close the connection)
     mod_ssl simply ends the response. 
   Issue best described by: http://openssl.6102.n7.nabble.com/Decoding-OCSP-response-data-ASN1-D2I-READ-BIO-not-enough-data-td24437.html

OCSP also does not work with an intermediate CA is in place (for Apache configuration)  

   Issue best described by: https://issues.apache.org/bugzilla/show_bug.cgi?id=46037


Diff is attached for both issues as well as fixed the init script handling 
   (it was changing files in the source directory which is really bad RPM practice).
Comment 1 Eric Rich 2013-06-07 08:56:51 EDT
Created attachment 758153 [details]
Test build

Also attaching test build of the patch.
Comment 2 Misha H. Ali 2013-06-10 01:03:58 EDT
Is this a late addition for the JBEWS 2.0.1 release notes? Drafting a release note if this is the case. If not, please correct me.

Setting need info for Wei Nan to confirm the above and to ACK the doc text.
Comment 3 Jimmy Wilson 2013-06-10 23:14:04 EDT
Per Permaine, we're including this for 2.0.1 CR as well.  I'm assuming that's acceptable to all.  Please ACK for inclusion.
Comment 4 Libor Fuka 2013-06-24 02:57:37 EDT
Verified on EWS 2.0.1 CR3 on Solaris 10,11 (Intel 32,64, SPARC), Windows 2008 (32, 64) and Windows 2008 R2 (64 bit)
Comment 5 Michal Haško 2013-06-26 04:54:13 EDT
VERIFIED on
 - EWS 2.0.1 CR3 RHEL5 i386 zips
 - EWS 2.0.1 CR3 RHEL5 x86_64 zips
 - EWS 2.0.1 CR3 RHEL6 i386 zips
 - EWS 2.0.1 CR3 RHEL6 x86_64 zips
 - httpd-2.2.22-23.ep6.el5.src.rpm
 - httpd-2.2.22-23.ep6.el6.src.rpm
Comment 6 Libor Fuka 2013-06-28 03:50:26 EDT
*** Bug 972040 has been marked as a duplicate of this bug. ***
Comment 8 Libor Fuka 2013-09-27 02:31:40 EDT
It was built for RHEL6 EWS 2.0.1.
Comment 9 Eric Rich 2013-09-27 07:51:27 EDT
Closing (and moving to https://bugzilla.redhat.com/show_bug.cgi?id=1012925)

Note You need to log in before you can comment on or make changes to this bug.