Bug 971861 - Multiple Issues with OCSP
Summary: Multiple Issues with OCSP
Alias: None
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: httpd   
(Show other bugs)
Version: unspecified
Hardware: Unspecified All
Target Milestone: ---
: 2.0.1
Assignee: Weinan Li
QA Contact: Libor Fuka
Depends On:
Blocks: 972040 987851 1012925
TreeView+ depends on / blocked
Reported: 2013-06-07 12:55 UTC by Eric Rich
Modified: 2018-12-03 19:02 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
OCSP (mod_ssl) mishandles responses for responders in specific situations. For example, if a responder sends NULL or blank data but does not close the connection, mod_ssl unexpectedly ends the response. Further information about this issue is available at <ulink url="http://openssl.6102.n7.nabble.com/Decoding-OCSP-response-data-ASN1-D2I-READ-BIO-not-enough-data-td24437.html"/> Additionally, OCSP does not work as expected when used in conjunction with an intermediate CA (Certification Authority), for example when a CA is used for Apache configuration. Further information about this issue is available at <ulink url="https://issues.apache.org/bugzilla/show_bug.cgi?id=46037"/> As a result of these problems, cretin OCSP responders do not work as expected with JBoss Enterprise Web Server and intermediary CAs also do not work as expected. These problems are fixed in JBoss Enterprise Web Server 2.0.1 using a patch. As a result of the fix, third party OCSP responders and intermediary CAs work as expected with JBoss Enterprise Web Server.
Story Points: ---
Clone Of:
: 972040 987851 1012925 (view as bug list)
Last Closed: 2014-01-03 12:58:25 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Full diff for patch (10.15 KB, patch)
2013-06-07 12:55 UTC, Eric Rich
no flags Details | Diff
Test build (177.62 KB, application/x-sharedlib)
2013-06-07 12:56 UTC, Eric Rich
no flags Details

Description Eric Rich 2013-06-07 12:55:29 UTC
Created attachment 758152 [details]
Full diff for patch

Description of problem:

OCSP (mod_ssl) does not properly handle responses properly to some responders.
   - If a responder sends null or blank data (but dose not close the connection)
     mod_ssl simply ends the response. 
   Issue best described by: http://openssl.6102.n7.nabble.com/Decoding-OCSP-response-data-ASN1-D2I-READ-BIO-not-enough-data-td24437.html

OCSP also does not work with an intermediate CA is in place (for Apache configuration)  

   Issue best described by: https://issues.apache.org/bugzilla/show_bug.cgi?id=46037

Diff is attached for both issues as well as fixed the init script handling 
   (it was changing files in the source directory which is really bad RPM practice).

Comment 1 Eric Rich 2013-06-07 12:56:51 UTC
Created attachment 758153 [details]
Test build

Also attaching test build of the patch.

Comment 2 Misha H. Ali 2013-06-10 05:03:58 UTC
Is this a late addition for the JBEWS 2.0.1 release notes? Drafting a release note if this is the case. If not, please correct me.

Setting need info for Wei Nan to confirm the above and to ACK the doc text.

Comment 3 Jimmy Wilson 2013-06-11 03:14:04 UTC
Per Permaine, we're including this for 2.0.1 CR as well.  I'm assuming that's acceptable to all.  Please ACK for inclusion.

Comment 4 Libor Fuka 2013-06-24 06:57:37 UTC
Verified on EWS 2.0.1 CR3 on Solaris 10,11 (Intel 32,64, SPARC), Windows 2008 (32, 64) and Windows 2008 R2 (64 bit)

Comment 5 Michal Haško 2013-06-26 08:54:13 UTC
 - EWS 2.0.1 CR3 RHEL5 i386 zips
 - EWS 2.0.1 CR3 RHEL5 x86_64 zips
 - EWS 2.0.1 CR3 RHEL6 i386 zips
 - EWS 2.0.1 CR3 RHEL6 x86_64 zips
 - httpd-2.2.22-23.ep6.el5.src.rpm
 - httpd-2.2.22-23.ep6.el6.src.rpm

Comment 6 Libor Fuka 2013-06-28 07:50:26 UTC
*** Bug 972040 has been marked as a duplicate of this bug. ***

Comment 8 Libor Fuka 2013-09-27 06:31:40 UTC
It was built for RHEL6 EWS 2.0.1.

Comment 9 Eric Rich 2013-09-27 11:51:27 UTC
Closing (and moving to https://bugzilla.redhat.com/show_bug.cgi?id=1012925)

Note You need to log in before you can comment on or make changes to this bug.