Re: OSCP неавторизованный запрос
Maxim Dounin
mdounin at mdounin.ru
Thu Apr 10 11:56:31 UTC 2014
Hello!
On Thu, Apr 10, 2014 at 07:42:23AM +0100, Anatoly Mikhailov wrote:
> Наблюдаю следующую строку в error.log с дефолтным уровнем логирования:
>
> OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.comodoca.com
>
> Окружение: Nginx 1.5.13, настройки ssl/tls следующие:
> ssl_session_timeout 15m;
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> ssl_prefer_server_ciphers on;
> ssl_session_cache shared:SSL:10m;
> ssl_stapling on;
Вероятно, OCSP-респондер хотел сказать, что он не располагает
достаточной информацией и не может сказать, валиден он или нет,
http://tools.ietf.org/html/rfc5019#section-2.2.3:
As long as the OCSP infrastructure has authoritative records for a
particular certificate, an OCSPResponseStatus of "successful" will be
returned. When access to authoritative records for a particular
certificate is not available, the responder MUST return an
OCSPResponseStatus of "unauthorized". As such, this profile extends
the RFC 2560 [OCSP] definition of "unauthorized" as follows:
The response "unauthorized" is returned in cases where the client
is not authorized to make this query to this server or the server
is not capable of responding authoritatively.
For example, OCSP responders that do not have access to authoritative
records for a requested certificate, such as those that generate and
distribute OCSP responses in advance and thus do not have the ability
to properly respond with a signed "successful" yet "unknown"
response, will respond with an OCSPResponseStatus of "unauthorized".
Also, in order to ensure the database of revocation information does
not grow unbounded over time, the responder MAY remove the status
records of expired certificates. Requests from clients for
certificates whose record has been removed will result in an
OCSPResponseStatus of "unauthorized".
Почему так - вопрос к COMODO. Вероятно, сертификат свежий, и
OCSP-респондер про него ещё не знает.
Со своей стороны nginx такой ответ для stapling'а использовать не
будет, и будет повторять попытки получить корректный ответ для
stapling'а раз в 5 минут.
--
Maxim Dounin
http://nginx.org/
Подробная информация о списке рассылки nginx-ru