How to enable OCSP stapling when default server is self-signed?

hotwirez nginx-forum at
Thu Sep 29 13:17:32 UTC 2016

Maxim Dounin Wrote:
> Hello!
> On Wed, Sep 28, 2016 at 12:44:45PM -0400, hotwirez wrote:
> [...]
> > I wanted to mention that I've run into this issue as well when
> trying to
> > enable OCSP stapling, where I have a default_deny SSL server that
> has a
> > self-signed certificate where I don't want to use OCSP stapling, and
> other
> > actual server entries for actual sites where I want OCSP stapling
> enabled. 
> > If I enable stapling for only the real sites, it appears to be
> silently
> > disabled.  If I enable it for all server instances, it notices that
> the
> > default server uses a self-signed certificate and disables stapling.
>  If I
> > remove the default server, OCSP stapling works for the remaining
> sites, but
> > then accessing the site using a means other than the correct server
> name
> > provides the SSL certificate for one of the servers.
> Problems with OCSP stapling if it is disabled in the default 
> server{} block were traced to be an OpenSSL bug, silently fixed in 
> 1.0.0m/1.0.1g/1.0.2.  See here for details:
> If you see the problem it means you have to update the OpenSSL 
> library you are using.
Thank you; it's great you tracked that down!  I am on OpenSSL 1.0.1f and
Nginx 1.4.6;  (Ubuntu 14.04 via apt), so that makes sense.  I'll upgrade.

Thanks again!

Posted at Nginx Forum:,257833,269955#msg-269955

More information about the nginx mailing list