OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

Maxim Dounin mdounin at mdounin.ru
Mon Dec 7 01:57:50 UTC 2015


On Sat, Dec 05, 2015 at 04:20:32AM -0500, agruener wrote:

> Dear Maxim,
> thanks for your ideas.
> I think I have not fully understand this matter, yet ;-)
> - check if OCSP requests from other clients (e.g., browsers) work;
> note that openssl's OCSP client will likely fail out of the box;
> ---> it does not work with openssl on Ubuntu 14.04 LTS (OpenSSL 1.0.1f 6 Jan
> 2014), openssl on raspberrypi2 (OpenSSL 1.0.2e) and Qualsys ssllabs
> (https://www.ssllabs.com/ssltest/). I do not get any errors on the other
> hand in Firefox or Chrome on Windows / Ubuntu / Android browsing to my
> websites. But I do not know how to do the same OCSP tests with my browsers.

It looks like you've mistaken OCSP requests and OCSP stapling.  
You have to test OCSP requests from other clients, not if OCSP 
stapling is provided by your server.

Note well that Browsers are not expected to show any errors if 
OCSP requests fail, and not all browsers will use OCSP by default 
or at all.  You have to dump traffic between the browser and the 
OCSP responder to see what happens.


> - try tcpdump'ing traffic between nginx and the OCSP responder to see what
> happens on the wire.
> --> I have done it. It is showing some communication when I do the test with
> openssl, e.g.
> echo QUIT | openssl s_client -connect www.mydomain.com:443 -status 2>
> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
> Pcap extraction show communication:
> ....
> .
> StartCom Ltd.1+0)..U..."Secure Digital Certificate
> Signing1806..U.../StartCom Class 1 Primary Intermediate Server CA0..
> 151011024455Z....

This seems to be traffic between openssl and nginx.  You have to 
dump traffic between nginx and the OCSP responder 
(ocsp.startssl.com) to see OCSP requests from nginx and responses 
with errors.

Maxim Dounin

More information about the nginx mailing list