OCSP server sending expired responses + stapling breaks Chrome

avian2 · December 12, 2016, 10:03am

I’m seeing the following errors in Apache error.log today (first was around 7:05 UTC):

[Mon Dec 12 09:05:48.924279 2016] [ssl:error] [pid 14655:tid 2921329712] AH01936: stapling_check_response: response times invalid
[Mon Dec 12 09:05:48.924639 2016] [ssl:error] [pid 14655:tid 2921329712] AH01943: stapling_renew_response: error in retrieved response!

Otherwise my website loads fine in both Firefox 50.0.2 and Chrome 55.0.2883.75. It seems my Apache does not send invalid OCSP responses to clients:

$ openssl s_client -connect ... -status -tlsextdebug|grep OCSP
OCSP response: no response sent

I use Apache 2.4.10-10+deb8u7, OpenSSL 1.0.1t-1+deb8u5 (Debian Jessie).

Topic		Replies	Views
OCSP_check_validity() failed Help	3	4271	January 11, 2017
OCSP response for our site is not up to date Server	2	1849	December 12, 2016
Problem with ocsp.int-x3.letsencrypt.org? Server	8	8207	May 19, 2017
OCSP responses inconsistent between different OCSP Servers Help	7	3713	November 30, 2016
How to solve OCSP_check_validity() error? Help	4	2221	November 15, 2018

OCSP server sending expired responses + stapling breaks Chrome

Related topics