OCSP response: no response sent

Maxim Dounin mdounin at mdounin.ru
Thu Oct 4 11:13:34 UTC 2012 

Hello!

On Wed, Oct 03, 2012 at 04:25:47PM -0400, CM Fields wrote:

> I am trying to get OCSP Stapling working in Nginx 1.3.7 with SPDY
> patch.spdy-52.txt built against OpenSSL 1.0.1c. SSL and SPDY
> connections to the server work fine.
> 
> Let me explain what I have done so far and perhaps someone can point
> me in the right direction or if I have made a mistake somewhere.
> 
> The OCSP section of the nginx.conf under the SSL config looks like
> this. The full certificate chain is in the "ssl_certificate
> /ssl_keys/domain_ssl.crt" file and clients connect without issue.
> 
>  ## SSL Certs
>       ssl on;
>       ssl_session_cache shared:SSL:10m;
>       ssl_certificate /ssl_keys/domain_ssl.crt;
>       ssl_certificate_key /ssl_keys/domain_ssl.key;
>       ssl_ecdh_curve secp521r1;
> 
> ## OCSP Stapling
>       resolver 127.0.0.1;
>       ssl_stapling on;
>     #ssl_stapling_verify on;
>       ssl_stapling_file /ssl_keys/domain.staple;
>     #ssl_trusted_certificate /ssl_keys/domain_issuer.crt;
>     #ssl_stapling_responder http://ocsp.comodoca.com;

Just a side note: in most cases just switching on ssl_stapling and 
configuring resolver is enough, nginx will do anything else.  If 
it won't be able to, it will complain at "warn" level to error 
log.  The ssl_stapling_file is mostly intended for debugging.

> According to the Nginx documentation I need to make a DER file for the
> "ssl_stapling_file" directive in order to send out the OCSP stapling
> response as part of the first connection. The domain.staple file was

As stapling is an optimization mechanism, you probably don't care 
much about the first connection.  First connection will initiate a 
OCSP request from nginx, and as soon as response is available it 
will be stapled.

> made like so. Special thanks to the group over at
> https://calomel.org/nginx.html for getting me this far and allowing me
> to use their server for testing against.
> 
> # collect all the certificates and put them into separate files.
> level0 is the domain cert, level1 certificate authority and level2 is
> the root over the CA.
> openssl s_client -showcerts -connect calomel.org:443 < /dev/null | awk
> -v c=-1 '/-----BEGIN CERTIFICATE-----/{inc=1;c++} inc {print >
> ("level" c ".crt")} /---END CERTIFICATE-----/{inc=0}'
> 
> # Look at the certificates and that they look like the correct format.
> for i in level?.crt; do openssl x509 -noout -serial -subject -issuer
> -in "$i"; echo; done
> 
> # Put all of the publicly available certs into a bundle
> cat level{0,1,2}.crt > CAbundle.crt
> 
> # Collect the OCSP response and make the DER domain.staple file. Make
> sure "Cert Status: good" and "Response verify OK"
> openssl ocsp -text -no_nonce -issuer level1.crt -CAfile CAbundle.crt
> -cert level0.crt -VAfile level1.crt -url http://ocsp.comodoca.com
> -respout domain.staple
> 
> 
> 
> At this point I _believe_ have done everything correctly and the
> domain.staple DER formatted file is right. When I test my server with
> the same steps as above, but with my own domain name instead of
> calomel.org, I still get "OCSP response: no response sent" when I test
> with openssl client.
> 
> This is the openssl client line I used for testing to see what a OCSP
> server response would look like. I tested two servers.
> 
> # this server's OCSP stapling response seems to work
> openssl s_client -connect login.live.com:443 -tls1  -tlsextdebug  -status
> ...
> OCSP response:
> ======================================
> OCSP Response Data:
>     OCSP Response Status: successful (0x0)
>     Response Type: Basic OCSP Response
> ...
> 
> # calomel..org does not support OSCP stapling (yet) and I get the same
> result on my server's domain...
> openssl s_client -connect calomel.org:443 -tls1  -tlsextdebug  -status
> -CAfile /usr/lib/ssl/certs/AddTrust_External_Root.pem
> ...
> OCSP response: no response sent
> ...

The main question is: in which server you've configured stapling?  
I.e. are you using dedicated ip/port, or try to use name-based 
virtualhosts instead?

Note that with SSL it's not that easy to do virtualhosts 
correctly, even if SNI is supported by many clients as of now.  In 
particular the above openssl command won't set servername and 
hence will hit default server.

Additionally, while looking into this I've found that due to 
OpenSSL bug the OCSP stapling won't work at all if it's not 
enabled in the default server.

-- 
Maxim Dounin
http://nginx.com/support.html

More information about the nginx mailing list