OCSP response: no response sent

CM Fields cmfileds at gmail.com
Thu Oct 4 18:31:41 UTC 2012 

Maxim,

Thank you. I was using virtual hosts. Once I switched my conf over to
using a default ssl server block, with "server _;" ocsp stapling
worked with the openssl client test. This is perfectly fine in my
situation. All that was needed is "ssl_stapling on;" and the resolver
line just like you mentioned.


Question:

I noticed the OCSP Response Data has an update time and a "next" update time.

  Cert Status: good
  This Update: Oct  4 00:00:37 2012 GMT
  Next Update: Oct  8 00:00:37 2012 GMT

Am I correct in assuming nginx will cache the OSCP Response Data at
least till "Next Update" time thus reducing the amount of OCSP
requests going to the CA?

Finally, just a heads up. If I incorrectly put "ssl_stapling on;" in
the parent http{} area Nginx 1.3.7 will crash/dump.

Again, thanks for a great web server.

On Thu, Oct 4, 2012 at 7:13 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Wed, Oct 03, 2012 at 04:25:47PM -0400, CM Fields wrote:
>
>> I am trying to get OCSP Stapling working in Nginx 1.3.7 with SPDY
>> patch.spdy-52.txt built against OpenSSL 1.0.1c. SSL and SPDY
>> connections to the server work fine.
>>
>> Let me explain what I have done so far and perhaps someone can point
>> me in the right direction or if I have made a mistake somewhere.
>>
>> The OCSP section of the nginx.conf under the SSL config looks like
>> this. The full certificate chain is in the "ssl_certificate
>> /ssl_keys/domain_ssl.crt" file and clients connect without issue.
>>
>>  ## SSL Certs
>>       ssl on;
>>       ssl_session_cache shared:SSL:10m;
>>       ssl_certificate /ssl_keys/domain_ssl.crt;
>>       ssl_certificate_key /ssl_keys/domain_ssl.key;
>>       ssl_ecdh_curve secp521r1;
>>
>> ## OCSP Stapling
>>       resolver 127.0.0.1;
>>       ssl_stapling on;
>>     #ssl_stapling_verify on;
>>       ssl_stapling_file /ssl_keys/domain.staple;
>>     #ssl_trusted_certificate /ssl_keys/domain_issuer.crt;
>>     #ssl_stapling_responder http://ocsp.comodoca.com;
>
> Just a side note: in most cases just switching on ssl_stapling and
> configuring resolver is enough, nginx will do anything else.  If
> it won't be able to, it will complain at "warn" level to error
> log.  The ssl_stapling_file is mostly intended for debugging.
>
>> According to the Nginx documentation I need to make a DER file for the
>> "ssl_stapling_file" directive in order to send out the OCSP stapling
>> response as part of the first connection. The domain.staple file was
>
> As stapling is an optimization mechanism, you probably don't care
> much about the first connection.  First connection will initiate a
> OCSP request from nginx, and as soon as response is available it
> will be stapled.
>
>> made like so. Special thanks to the group over at
>> https://calomel.org/nginx.html for getting me this far and allowing me
>> to use their server for testing against.
>>
>> # collect all the certificates and put them into separate files.
>> level0 is the domain cert, level1 certificate authority and level2 is
>> the root over the CA.
>> openssl s_client -showcerts -connect calomel.org:443 < /dev/null | awk
>> -v c=-1 '/-----BEGIN CERTIFICATE-----/{inc=1;c++} inc {print >
>> ("level" c ".crt")} /---END CERTIFICATE-----/{inc=0}'
>>
>> # Look at the certificates and that they look like the correct format.
>> for i in level?.crt; do openssl x509 -noout -serial -subject -issuer
>> -in "$i"; echo; done
>>
>> # Put all of the publicly available certs into a bundle
>> cat level{0,1,2}.crt > CAbundle.crt
>>
>> # Collect the OCSP response and make the DER domain.staple file. Make
>> sure "Cert Status: good" and "Response verify OK"
>> openssl ocsp -text -no_nonce -issuer level1.crt -CAfile CAbundle.crt
>> -cert level0.crt -VAfile level1.crt -url http://ocsp.comodoca.com
>> -respout domain.staple
>>
>>
>>
>> At this point I _believe_ have done everything correctly and the
>> domain.staple DER formatted file is right. When I test my server with
>> the same steps as above, but with my own domain name instead of
>> calomel.org, I still get "OCSP response: no response sent" when I test
>> with openssl client.
>>
>> This is the openssl client line I used for testing to see what a OCSP
>> server response would look like. I tested two servers.
>>
>> # this server's OCSP stapling response seems to work
>> openssl s_client -connect login.live.com:443 -tls1  -tlsextdebug  -status
>> ...
>> OCSP response:
>> ======================================
>> OCSP Response Data:
>>     OCSP Response Status: successful (0x0)
>>     Response Type: Basic OCSP Response
>> ...
>>
>> # calomel..org does not support OSCP stapling (yet) and I get the same
>> result on my server's domain...
>> openssl s_client -connect calomel.org:443 -tls1  -tlsextdebug  -status
>> -CAfile /usr/lib/ssl/certs/AddTrust_External_Root.pem
>> ...
>> OCSP response: no response sent
>> ...
>
> The main question is: in which server you've configured stapling?
> I.e. are you using dedicated ip/port, or try to use name-based
> virtualhosts instead?
>
> Note that with SSL it's not that easy to do virtualhosts
> correctly, even if SNI is supported by many clients as of now.  In
> particular the above openssl command won't set servername and
> hence will hit default server.
>
> Additionally, while looking into this I've found that due to
> OpenSSL bug the OCSP stapling won't work at all if it's not
> enabled in the default server.
>
> --
> Maxim Dounin
> http://nginx.com/support.html
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

More information about the nginx mailing list