Issue with OCSP stapling when server certificate has been revoked by CA
mdounin at mdounin.ru
Sun Apr 13 10:39:25 UTC 2014
On Sun, Apr 13, 2014 at 11:27:17AM +0300, shimi wrote:
> I'm contacting the list after doing some Google-foo and not finding
> anything - not sure if this is due to my searching skills, or because
> nobody ever asked about this... pardon me if it's a known issue, and a link
> to a relevant resource would be appreciated in such a case.
> I'm using Nginx as a reverse HTTP proxy to Tomcat, primarily for the
> purpose of doing OCSP stapling.
> When Nginx starts for the first time, and there's no cached OCSP response,
> the first client to try an OCSP will fail; I understand that this is by
> design, and I've overcome it by simply 'warming' the cached manually by
> using OpenSSL's s_client... of course I'll be happy to learn there's a way
> to make Nginx block and get OCSP response if there's a cache miss (I
> understand that blocking every time in case of OCSP server being down won't
> help performance much, but I guess cache can be negative in such a case,
> instead of a miss, and maybe this is already the case...)
> Anyways, that's not the main issue I have.
> The main issue I have is that when a revoked certificate is being used by
> Nginx, and an OCSP is being conducted against the server port where this
> certificate is served.
> Watching the packets arriving from ocsp.digicert.com via Wireshark, I see
> the OCSP response saying that the certificate is revoked (so, Nginx seems
> to be querying the OCSP server fine?), and I also see this in Nginx's error
> 2014/04/07 17:44:41 [error] 27005#0: certificate status "revoked" in the
> OCSP response while requesting certificate status, responder:
> Yet, the OpenSSL s_client, even after multiple attempts (so the cache
> should be "warm"), returns that no OCSP response was returned from the
> Naturally, I would expect the response to be proxied by Nginx back to the
> What am I missing / doing wrong? :)
As long as no good OCSP response is received, nginx will not
staple anything as it doesn't make sense (moreover, it may be
harmful, e.g. if the response isn't verified).
More information about the nginx