| Author |
|
gijs
Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands
|
 Posted: Thu 11 Jun '15 3:18 Post subject: Can't enable SSLUseStapling on |
 |
|
I'm trying to enable SSLUseStapling by adding:
SSLUseStapling on to my virtualhost file but my Apache server immediately exits without any error message.
I have my CAcertificate set like:
SSLCACertificateFile "C:\Program Files\Apache Software Foundation\Apache24\bin\ssl2\ca.pem"
Any idea what could cause this? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Thu 11 Jun '15 4:52 Post subject: |
|
|
Is it inside a <Directory> container inside the <VirtualHost>? It's not allowed inside <Directory> even if that is inside a vhost.
Anything in windows event log?
If not, try starting from the command line.
If still nothing, try LogLevel debug. |
|
| Back to top |
|
gijs
Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands
|
| Posted: Thu 11 Jun '15 10:13 Post subject: |
|
|
| I found that I had to enable: SSLStaplingCache shmcb:C:\Progra~2\Apache~1\Apache24\logs\ocsp(512000) |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Mon 15 Jun '15 16:35 Post subject: |
|
|
Did you check your site afterwards at ssllabs.com?
What does it say?
Enabled?
Although i had configured it the same way and i was able to start apache, i got "Try Later" as status at ssllabs and thats pretty crazy, cuz i don't know what i did wrong. |
|
| Back to top |
|
gijs
Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands
|
| Posted: Mon 15 Jun '15 17:05 Post subject: |
|
|
Yes, it's working fine according to SSLlabs  |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 17 Jun '15 12:32 Post subject: |
|
|
| jraute wrote: | Did you check your site afterwards at ssllabs.com?
What does it say?
Enabled?
Although i had configured it the same way and i was able to start apache, i got "Try Later" as status at ssllabs and thats pretty crazy, cuz i don't know what i did wrong. |
Were you able to get it working or do you need support? |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Thu 18 Jun '15 7:25 Post subject: |
|
|
| Quote: | | Were you able to get it working or do you need support? |
Thanks for asking!
No, i wasn't able to get another status at ssllabs than "Try later".
Any idea? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Thu 18 Jun '15 10:39 Post subject: |
|
|
my curent config is
Global in httpd.conf
| Code: |
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
#...
SSLUseStapling on
SSLSessionCache shmcb:/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/apache2/logs/ssl_stapling_data(512000)
|
Since there is a bit more SSL config You can see it at http://pastebin.com/skQwBNQD |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Fri 19 Jun '15 8:35 Post subject: |
|
|
That is my configuration - and it is no problem to start apache with it, but ssllabs say: "OCSP stapling Invalid OCSP response failed: TRY_LATER"
Is it a problem when activating stapling, so that i only have to wait a day or so?
Oha, Problem found!
In the error log it says: | Quote: | [Fri Jun 19 08:31:54.658867 2015] [ssl:error] [pid 2012:tid 2424] (OS 10061)Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte. : [client 64.41.200.108:33119] AH01974: could not connect to OCSP responder 'ocsp2.globalsign.com'
[Fri Jun 19 08:31:54.658867 2015] [ssl:error] [pid 2012:tid 2424] AH01941: stapling_renew_response: responder error
[Fri Jun 19 08:32:06.764488 2015] [ssl:error] [pid 2012:tid 2424] [client 64.41.200.108:33865] AH02042: rejecting client initiated renegotiation |
Could be a problem with the firewall.
But what would be necessary besides the config-changes? |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 22 Jun '15 17:55 Post subject: |
|
|
| jraute wrote: |
(OS 10061)Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte. : [client 64.41.200.108:33119] AH01974: could not connect to OCSP responder 'ocsp2.globalsign.com'
|
| jraute wrote: |
Could be a problem with the firewall.
But what would be necessary besides the config-changes? |
The client / browser needs to connect to the ocsp2.globalsign.com server the veryfiy certificate. BUT stapling does that work for the client on the server / apache.[1]
So yes you need to configure your firewall.
[1] https://en.wikipedia.org/wiki/OCSP_stapling |
|
| Back to top |
|
