Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 976451

Summary: Bug in ssl_util_ocsp.c breaks http://ocsp.disa.mil
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Jesse Sightler <jsightle>
Component: httpdAssignee: Weinan Li <weli>
Status: CLOSED EOL QA Contact: Libor Fuka <lfuka>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.1.0CC: jclere, jdoyle, jsightle, pslavice, rsvoboda
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously in JBoss Enterprise Web Server, the code in the <filename>ssl_util_ocsp.c</filename> file was broken. As a result, when the <parameter>apr_bucket_read</parameter> parameter returned 0 bytes, it did not indicate the end of the file (<literal>EOF</literal>). Due to this problem, the code exits prematurely with a false EOF error for some OCSP responders. This is fixed in JBoss Enterprise Web Server 2.1 so that the code in the <filename>ssl_util_ocsp.c</filename> file contains the <literal>EOF</literal> information and operates as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-13 12:09:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jesse Sightler 2013-06-20 15:22:24 UTC 
Description of problem:

The code does this:

rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
if (rv == APR_EOF || (rv == APR_SUCCESS && len == 0)) {
    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01984) "OCSP response:  got EOF");
    break;
}

This code is broken, as apr_bucket_read returning 0 bytes does not indicate EOF. I cannot find anywhere elsewhere in the codebase where this type of check is done.

As a result, with some OCSP responders, the code exits prematurely with a false EOF error.

Empty buckets are common from the bucket brigade, apparently. :)

Replacing the above code with:
if (rv == APR_EOF ) {

results in a working system.


Version-Release number of selected component (if applicable):

httpd-2.2.22-14.ep6.el6.src.rpm

How reproducible:

Every time
Comment 2 Jesse Sightler 2013-09-05 12:59:52 UTC 
I believe this is a duplicate of:
https://bugzilla.redhat.com/show_bug.cgi?id=987851

(albeit 987851 was filed after than this one)
Comment 3 Weinan Li 2013-10-15 13:00:50 UTC 
From the BZ, it seems like the fix that we've put in EAP 6.1.1 is needed for EWS as EWS 2.0.1 is shipped before EAP 6.1.1 and the fix in EAP is needed for EWS (probably in 2.0.2)
Comment 4 Jean-frederic Clere 2014-02-13 13:56:54 UTC 
It is already fixed: http://pkgs.devel.redhat.com/cgit/rpms/httpd/tree/httpd-ocsp-entrust.patch?h=ep-6-rhel-5
Comment 5 Libor Fuka 2014-06-09 11:54:57 UTC 
Verified by soource:
Solaris - fixed, verified
Windows - fixed, verified
RHEL - fixed, verified
Comment 6 Libor Fuka 2014-06-09 12:47:35 UTC 
Verified in EWS 2.1.0-ER2
Comment 7 Mandar Joshi 2014-08-11 10:01:34 UTC 
added doc text.