Re: OSCP неавторизованный запрос

Maxim Dounin mdounin at mdounin.ru
Thu Apr 10 11:56:31 UTC 2014


Hello!

On Thu, Apr 10, 2014 at 07:42:23AM +0100, Anatoly Mikhailov wrote:

> Наблюдаю следующую строку в error.log с дефолтным уровнем логирования:
> 
>   OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.comodoca.com
> 
> Окружение: Nginx 1.5.13, настройки ssl/tls следующие:
>     ssl_session_timeout          15m;
>     ssl_protocols                      SSLv3 TLSv1 TLSv1.1 TLSv1.2;
>     ssl_prefer_server_ciphers  on;
>     ssl_session_cache             shared:SSL:10m;
>     ssl_stapling                        on;

Вероятно, OCSP-респондер хотел сказать, что он не располагает 
достаточной информацией и не может сказать, валиден он или нет, 
http://tools.ietf.org/html/rfc5019#section-2.2.3:

   As long as the OCSP infrastructure has authoritative records for a
   particular certificate, an OCSPResponseStatus of "successful" will be
   returned.  When access to authoritative records for a particular
   certificate is not available, the responder MUST return an
   OCSPResponseStatus of "unauthorized".  As such, this profile extends
   the RFC 2560 [OCSP] definition of "unauthorized" as follows:

      The response "unauthorized" is returned in cases where the client
      is not authorized to make this query to this server or the server
      is not capable of responding authoritatively.

   For example, OCSP responders that do not have access to authoritative
   records for a requested certificate, such as those that generate and
   distribute OCSP responses in advance and thus do not have the ability
   to properly respond with a signed "successful" yet "unknown"
   response, will respond with an OCSPResponseStatus of "unauthorized".
   Also, in order to ensure the database of revocation information does
   not grow unbounded over time, the responder MAY remove the status
   records of expired certificates.  Requests from clients for
   certificates whose record has been removed will result in an
   OCSPResponseStatus of "unauthorized".

Почему так - вопрос к COMODO.  Вероятно, сертификат свежий, и 
OCSP-респондер про него ещё не знает.

Со своей стороны nginx такой ответ для stapling'а использовать не 
будет, и будет повторять попытки получить корректный ответ для 
stapling'а раз в 5 минут.

-- 
Maxim Dounin
http://nginx.org/



Подробная информация о списке рассылки nginx-ru