| Author |
|
jack01
Joined: 28 Feb 2014
Posts: 27
|
 Posted: Wed 27 Jan '16 14:22 Post subject: Browser returns error when I try to configure OCSP Stapling |
 |
|
Hi,
I would like to configure OCSP Stapling.
My server "Apache 2.4.18" 64-bit on Windows 2008 R2 64-bit downloaded from http://www.apachelounge.com/download/VC10/binaries/httpd-2.4.18-win64.zip
I read several documentation and also found this thread https://www.apachelounge.com/viewtopic.php?t=6583 when "James Blond" suggest how to set setting.
My Apache httpd is installed in path: C:\Programs\Apache\Apache24\
I did the following:
1. Stopped "Apache2.4" Windows service.
2. Deleted all log files from C:\Programs\Apache\Apache24\logs directory.
3. In C:\Programs\Apache\Apache24\conf\httpd.conf I have removed comment so I now have:
| Code: | | LoadModule socache_shmcb_module modules/mod_socache_shmcb.so |
4. In C:\Programs\Apache\Apache24\extra\httpd-ssl.conf I have searched "<VirtualHost _default_:443>" and added bellow code BEFORE (outside of) "VirtualHost" directive:
| Code: | SSLUseStapling on
SSLStaplingCache shmcb:C:/Programs/Apache/Apache24/logs/ssl_stapling_data(512000) |
5. Saved both config files.
6. Started "Apache2.4" Windows service without a problem. No error stored in log files.
7. In Firefox 44 on Windows 7 I have typed in https URL address for my https web site and I am getting the error in browser:
| Code: |
Secure Connection Failed
An error occurred during a connection to <my_server_name>. The OCSP server suggests trying again later. (Error code: sec_error_ocsp_try_server_later)
- The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
- Please contact the website owners to inform them of this problem.
|
Additional tests:
1. Accessing web site with Firefox 24 ESR witch displays web page normally, this is expected because OCSP Stapling is implemented in Firefox 26 and above, so Firefox 24 fallbacks to normal "OCSP protocol" without "OCSP Stapling". This somehow proves there got to be some problem in "OCSP Stapling"
2. I tried to test OCSP Stapling with command:
| Code: | | echo | openssl s_client -connect <my_domain_name>:443 -status 2>&1 | grep "OCSP" |
and I after like a half a minute after I got response:
| Code: | OCSP response:
OCSP Response Data:
OCSP Response Status: trylater (0x3) |
3. I have commented out the lines from step 4 above and restarted Apache2.4 Windows service and accessed web site with Firefox 44 again and now works fine. So it looks like something wrong with OCSP Stapling in my case.
Any idea what is wrong?
Last edited by jack01 on Wed 27 Jan '16 15:40; edited 1 time in total |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Wed 27 Jan '16 14:42 Post subject: |
|
|
Firewall checked?
World Wide Web Services (HTTP Traffic-IN)
World Wide Web Services (HTTPS Traffic-IN)
Online Responder Service (TCP-Out)
... |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 27 Jan '16 15:03 Post subject: |
|
|
I had / have that problem with one registar, too. there is only working option is
|
|
| Back to top |
|
jack01
Joined: 28 Feb 2014
Posts: 27
|
| Posted: Wed 27 Jan '16 15:40 Post subject: |
|
|
@jraute, this is test server, so I have now turned off Windows Firewall and problem remains.
@James Blond, sorry don't really understand what are you suggesting. Doesn't "SSLUseStapling Off" turn off OCSP Stapling?
=====================
Additional info. I tried searching for the "OCSP Response Status: trylater (0x3)" error and found official IEFT documentation at: https://www.ietf.org/rfc/rfc2560.txt
| Code: | | In the event that the OCSP responder is operational, but unable to return a status for the requested certificate, the "tryLater" response can be used to indicate that the service exists, but is temporarily unable to respond. |
What does this really mean that browser to http server OCSP Stapling is configured correctly, but is some other problem. Is there a problem http server communicating with CA and not getting certificate revoke info or something else? Is there something I can additionally debug? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 27 Jan '16 15:57 Post subject: |
|
|
Yepp turn off the stapling so that the browser will do the request, not the server. Then the error will disappear.
If it fails only sometime you have to set a different timing ( may only a few seconds instead of 600 seconds) with SSLStaplingErrorCacheTimeout
But that did not with all registars for me. So I had to disable the caching. |
|
| Back to top |
|
jack01
Joined: 28 Feb 2014
Posts: 27
|
| Posted: Thu 28 Jan '16 13:25 Post subject: |
|
|
I have set both bellow settings to:
| Code: | SSLStaplingErrorCacheTimeout 2
SSLStaplingStandardCacheTimeout 2 |
but still I can NEVER establish connection with Firefox 44.
I don't know really what is the problem. Maybe OCSP server does not respond at all. Don't know because I don't have enough knowledge to debug this. Any tip in this direction would be nice to have.
But I have searched the web and found out that:
- Chrome browser does not use OCSP at all,
- Firefox browser uses OCSP protocol, but if it fails, then it ignores the error and continue with SSL handshake.
But on the other hand if I somehow establish "OCSP Stapling" and it starts working fine, but then suddenly it is some problem at "OCSP provider", then Firefox 26+ users are not going to be able to communicate with my http server. There is no fall back to ordinary "OCSP protocol" (browser checking certificate revocation) or even ignore error if using "OCSP Stapling". Just wondering isn't it very dangerous to use "OCSP Stapling" from http server stability point of view? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Thu 04 Feb '16 17:06 Post subject: |
|
|
| Maybe you have to set the SSLStaplingForceURL if the server detect a wrong url. |
|
| Back to top |
|
