OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

Maxim Dounin mdounin at mdounin.ru
Sat Dec 5 03:32:48 UTC 2015


Hello!

On Fri, Dec 04, 2015 at 05:40:02PM -0500, agruener wrote:

> OCSP is not working on my raspberrypi2 with nginx 1.9.7 and OpenSSL 1.0.2e.
> I have compiled both together.
> 
> tail /var/log/nginx/error.log
> 
> 2015/12/04 22:28:21 [error] 14841#0: OCSP response not successful (1:
> malformedrequest) while requesting certificate status, responder:
> ocsp.startssl.com
> 2015/12/04 22:28:29 [error] 14841#0: OCSP response not successful (1:
> malformedrequest) while requesting certificate status, responder:
> ocsp.startssl.com
> 2015/12/04 22:28:30 [error] 14842#0: OCSP response not successful (1:
> malformedrequest) while requesting certificate status, responder:
> ocsp.startssl.com

The message means that an OCSP request was successfully sent, but 
OCSP responder returned an error.  This may be either due to OCSP 
response being indeed incorrect for some reason, or due to a 
problem on OCSP responder side.

You may try the following:

- check if OCSP requests from other clients (e.g., browsers) work; 
  note that openssl's OCSP client will likely fail out of the box;

- check if the same error occurs on x86 hosts for the same 
  certificate or not;

- try tcpdump'ing traffic between nginx and the OCSP 
  responder to see what happens on the wire.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list