OCSP malformedrequest with 1.9.7 and openssl 1.0.2e
nginx-forum at nginx.us
Sat Dec 5 09:20:32 UTC 2015
thanks for your ideas.
I think I have not fully understand this matter, yet ;-)
- check if OCSP requests from other clients (e.g., browsers) work;
note that openssl's OCSP client will likely fail out of the box;
---> it does not work with openssl on Ubuntu 14.04 LTS (OpenSSL 1.0.1f 6 Jan
2014), openssl on raspberrypi2 (OpenSSL 1.0.2e) and Qualsys ssllabs
(https://www.ssllabs.com/ssltest/). I do not get any errors on the other
hand in Firefox or Chrome on Windows / Ubuntu / Android browsing to my
websites. But I do not know how to do the same OCSP tests with my browsers.
- check if the same error occurs on x86 hosts for the same certificate or
--> I have to try this later, it is not that easy to set up here right now.
- try tcpdump'ing traffic between nginx and the OCSP responder to see what
happens on the wire.
--> I have done it. It is showing some communication when I do the test with
echo QUIT | openssl s_client -connect www.mydomain.com:443 -status 2>
/dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
Pcap extraction show communication:
StartCom Ltd.1+0)..U..."Secure Digital Certificate
Signing1806..U.../StartCom Class 1 Primary Intermediate Server CA0..
StartCom Certification Authority0.......This certificate was issued
according to the Class 1 Validation requirements of the StartCom CA policy,
reliance only for the intended purpose in compliance of the relying party
But at the end of my pcap I have a
TLSv1.2 Record Layer: Encrypted Alert
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Alert Message: Encrypted Alert
followed by FIN, ACK
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,263279,263285#msg-263285
More information about the nginx