OCSP response: no response sent

Maxim Dounin mdounin at mdounin.ru
Fri Oct 5 11:10:34 UTC 2012


Hello!

On Thu, Oct 04, 2012 at 02:31:41PM -0400, CM Fields wrote:

> Maxim,
> 
> Thank you. I was using virtual hosts. Once I switched my conf over to
> using a default ssl server block, with "server _;" ocsp stapling
> worked with the openssl client test. This is perfectly fine in my
> situation. All that was needed is "ssl_stapling on;" and the resolver
> line just like you mentioned.
> 
> 
> Question:
> 
> I noticed the OCSP Response Data has an update time and a "next" update time.
> 
>   Cert Status: good
>   This Update: Oct  4 00:00:37 2012 GMT
>   Next Update: Oct  8 00:00:37 2012 GMT
> 
> Am I correct in assuming nginx will cache the OSCP Response Data at
> least till "Next Update" time thus reducing the amount of OCSP
> requests going to the CA?

Not exactly.  As of now, nginx will cache valid responses for 1 
hour, and errors for 5 mins.

> Finally, just a heads up. If I incorrectly put "ssl_stapling on;" in
> the parent http{} area Nginx 1.3.7 will crash/dump.

Ooops, thank you for report.  Fix:

--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -737,7 +737,7 @@ ngx_http_ssl_init(ngx_conf_t *cf)
 
         sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
 
-        if (!sscf->stapling) {
+        if (sscf->ssl.ctx == NULL || !sscf->stapling) {
             continue;
         }

(Committed, see http://trac.nginx.org/nginx/changeset/4888/nginx)
 
> 
> Again, thanks for a great web server.
> 
> On Thu, Oct 4, 2012 at 7:13 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > Hello!
> >
> > On Wed, Oct 03, 2012 at 04:25:47PM -0400, CM Fields wrote:
> >
> >> I am trying to get OCSP Stapling working in Nginx 1.3.7 with SPDY
> >> patch.spdy-52.txt built against OpenSSL 1.0.1c. SSL and SPDY
> >> connections to the server work fine.
> >>
> >> Let me explain what I have done so far and perhaps someone can point
> >> me in the right direction or if I have made a mistake somewhere.
> >>
> >> The OCSP section of the nginx.conf under the SSL config looks like
> >> this. The full certificate chain is in the "ssl_certificate
> >> /ssl_keys/domain_ssl.crt" file and clients connect without issue.
> >>
> >>  ## SSL Certs
> >>       ssl on;
> >>       ssl_session_cache shared:SSL:10m;
> >>       ssl_certificate /ssl_keys/domain_ssl.crt;
> >>       ssl_certificate_key /ssl_keys/domain_ssl.key;
> >>       ssl_ecdh_curve secp521r1;
> >>
> >> ## OCSP Stapling
> >>       resolver 127.0.0.1;
> >>       ssl_stapling on;
> >>     #ssl_stapling_verify on;
> >>       ssl_stapling_file /ssl_keys/domain.staple;
> >>     #ssl_trusted_certificate /ssl_keys/domain_issuer.crt;
> >>     #ssl_stapling_responder http://ocsp.comodoca.com;
> >
> > Just a side note: in most cases just switching on ssl_stapling and
> > configuring resolver is enough, nginx will do anything else.  If
> > it won't be able to, it will complain at "warn" level to error
> > log.  The ssl_stapling_file is mostly intended for debugging.
> >
> >> According to the Nginx documentation I need to make a DER file for the
> >> "ssl_stapling_file" directive in order to send out the OCSP stapling
> >> response as part of the first connection. The domain.staple file was
> >
> > As stapling is an optimization mechanism, you probably don't care
> > much about the first connection.  First connection will initiate a
> > OCSP request from nginx, and as soon as response is available it
> > will be stapled.
> >
> >> made like so. Special thanks to the group over at
> >> https://calomel.org/nginx.html for getting me this far and allowing me
> >> to use their server for testing against.
> >>
> >> # collect all the certificates and put them into separate files.
> >> level0 is the domain cert, level1 certificate authority and level2 is
> >> the root over the CA.
> >> openssl s_client -showcerts -connect calomel.org:443 < /dev/null | awk
> >> -v c=-1 '/-----BEGIN CERTIFICATE-----/{inc=1;c++} inc {print >
> >> ("level" c ".crt")} /---END CERTIFICATE-----/{inc=0}'
> >>
> >> # Look at the certificates and that they look like the correct format.
> >> for i in level?.crt; do openssl x509 -noout -serial -subject -issuer
> >> -in "$i"; echo; done
> >>
> >> # Put all of the publicly available certs into a bundle
> >> cat level{0,1,2}.crt > CAbundle.crt
> >>
> >> # Collect the OCSP response and make the DER domain.staple file. Make
> >> sure "Cert Status: good" and "Response verify OK"
> >> openssl ocsp -text -no_nonce -issuer level1.crt -CAfile CAbundle.crt
> >> -cert level0.crt -VAfile level1.crt -url http://ocsp.comodoca.com
> >> -respout domain.staple
> >>
> >>
> >>
> >> At this point I _believe_ have done everything correctly and the
> >> domain.staple DER formatted file is right. When I test my server with
> >> the same steps as above, but with my own domain name instead of
> >> calomel.org, I still get "OCSP response: no response sent" when I test
> >> with openssl client.
> >>
> >> This is the openssl client line I used for testing to see what a OCSP
> >> server response would look like. I tested two servers.
> >>
> >> # this server's OCSP stapling response seems to work
> >> openssl s_client -connect login.live.com:443 -tls1  -tlsextdebug  -status
> >> ...
> >> OCSP response:
> >> ======================================
> >> OCSP Response Data:
> >>     OCSP Response Status: successful (0x0)
> >>     Response Type: Basic OCSP Response
> >> ...
> >>
> >> # calomel..org does not support OSCP stapling (yet) and I get the same
> >> result on my server's domain...
> >> openssl s_client -connect calomel.org:443 -tls1  -tlsextdebug  -status
> >> -CAfile /usr/lib/ssl/certs/AddTrust_External_Root.pem
> >> ...
> >> OCSP response: no response sent
> >> ...
> >
> > The main question is: in which server you've configured stapling?
> > I.e. are you using dedicated ip/port, or try to use name-based
> > virtualhosts instead?
> >
> > Note that with SSL it's not that easy to do virtualhosts
> > correctly, even if SNI is supported by many clients as of now.  In
> > particular the above openssl command won't set servername and
> > hence will hit default server.
> >
> > Additionally, while looking into this I've found that due to
> > OpenSSL bug the OCSP stapling won't work at all if it's not
> > enabled in the default server.
> >
> > --
> > Maxim Dounin
> > http://nginx.com/support.html
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-- 
Maxim Dounin
http://nginx.com/support.html



More information about the nginx mailing list