Open kobykahane opened 6 years ago
agree with this totally
agree with this totally, I had the same issue
I have the same problem. This is a critical issue.
Getting the REV_FAILED error on thousands of machines after the ISRG root cert from Lets Encrypt was added to the trusted root store in Windows by Microsoft a couple of days ago. So this issue is critical to fix now.
So I finally mange to fix the error. It was related to OCSP. I added this to the Apache vhost:
SSLUseStapling on SSLStaplingReturnResponderErrors off SSLStaplingResponderTimeout 5
As well as this to the ssl.conf file: SSLStaplingCache "shmcb:/opt/bitnami/apache2/logs/ssl_stapling(128000)"
And that got rid of the error. Did not see this error before ISRG was in the Windows root store, but at least this solves it if anybody else runs into similar issues.
PR #516 enabled certificate revocation checking on WinHTTP by calling
WinHttpSetOption
withWINHTTP_OPTION_ENABLE_FEATURE
andWINHTTP_ENABLE_SSL_REVOCATION
.However, if a client wants to opt out from this behavior, the callback invoked by
invoke_nativehandle_options
and set withset_nativehandle_options
cannot be used. This is because subsequent calls toWINHTTP_OPTION_ENABLE_FEATURE
are additive, so even setting the input flags to0
does not reset the previously enabled 'enable SSL revocation' option.Furthermore, revocation checks are performed even when
set_validate_certificates(false)
has been called.Instead,
http_client_config
should provide an explicit way to opt out of revocation checks. If the appropriate flag is set, it should never callWinHttpSetOption
withWINHTTP_ENABLE_SSL_REVOCATION
.