How to enable OCSP stapling when default server is self-signed?
nginx-forum at nginx.us
Mon May 11 14:31:05 UTC 2015
> > Note that this isn't really indicate anything: there are two forms
> of OCSP requests, POST and GET. And Firefox uses POST, while nginx
> uses GET. Given the fact that the responder was completely broken just
> a few days ago - it's quite possible that it's still broken for GETs
> in some cases.
> To comply with local security policy, we disabled POST globally on all
> public-facing servers.
> This has the advantage of killing web 2.0 and all of its
> vulnerabilities with one simple rule, emphasis on *killing web 2.0*.
> Yes, the sites are read-only, and we just love it that way.
> For each vhost,
> "ssl_certificate_key" includes the vhost's private key,
> "ssl_certificate" includes the vhosts's public key (leaf) AND the
> intermediate key of the Issuer,
> "ssl_trusted_certificate" includes the certificate chain in full (leaf
> + intermediate + root CA),
> all in PEM format.
> The openssl test works as expected:
> vhost="<your-domain-here>"; echo Q | openssl s_client -CAfile
> /path/to/your/local/trust/store/ca-bundle.pem -tls1 -tlsextdebug
> -status -connect $vhost:443 -servername $vhost 2>&1 | less
> There are two problems.
> problem 1
> nginx's "ssl_certificate" (note the singular) is truly a bundle of the
> certificate and the intermediate.
> In fact, if we remove the intermediate, we break the chain.
> The description for "ssl_certificate" is also misleading.
> "Specifies a file with the certificate in the PEM format for the given
> virtual server. If intermediate certificates should be specified in
> addition to a primary certificate, they should be specified in the
> same file in the following order: the primary certificate comes first,
> then the intermediate certificates. A secret key in the PEM format may
> be placed in the same file. "
> Although the above sentence "If intermediate certificates should be
> specified" suggests that one may omit the intermediate certificate, in
> reality you can only do this if you are the CA. I do not wish to sound
> opinionated here, because I am making an effort to stick to the facts:
> if we remove the intermediate, we do break the chain and the openssl
> test complains loudly.
> Therefore, if your own facts correspond to the above, then the
> solution is to edit nginx's source to limit "ssl_certificate" to the
> leaf's public key only, and correct the description accordingly. The
> intermediate(s) can be bundled in a separate file.
> It would be easier on the eyes to re-write the keywords as well:
> ssl_certificate_key -----> private_certificate
> ssl_certificate 1/2 ------> public_certificate
> ssl_certificate 2/2 -------> public_intermediate_certificates
> ssl_trusted_certificate -> public_ca_certificate
> In so doing, the configuration would finally be unambiguous.
> problem 2
> If it is true that FF uses POST to *read*, by default, then this
> explains the original problem with OCSP, and the fact that nginx is
> well configured and openssl and other browsers do work as expected.
> Google and other search engines show that Firefox has been affected by
> this OCSP problem for a long time. Perhaps they could start using GET
> like everybody else?
Umm...please don't hijack threads. Your issue(s) are not related to the
main thread and are even partially off-topic for nginx. Hijacking threads
is distracting for those who run threaded clients.
My issue regarding OCSP stapling still remains unresolved.
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,257833,258801#msg-258801
More information about the nginx