SSL_STAPLING when network is unreachable
mastercan
nginx-forum at nginx.us
Wed Feb 26 16:39:31 UTC 2014
Hello,
I've encountered a problem with nginx 1.5.10.
I'm running nginx on a highly available system (2 cluster node).
When node1 fails, node2 is automatically coming into play. A few days ago
the internet connection was bad - on both nodes. They could ping the gateway
only sporadically.
Node2 became the active one and tried to start nginx. Nginx did not even
come up.
I replayed the whole scenario (switchover) with a working internet
connection. Everything is running perfect then.
But with a broken internet connection nginx does not start up. It's
hanging.
The reason is ssl_stapling I found out. Even when I set resolver_timeout to
5 seconds, nginx won't come up within 5 seconds with an internet connection
with high packet loss.
Unfortunately I cannnot use "ssl_stapling_file". I tried fetching the OCSP
response from globalsign but always get "error querying OCSP response" from
globalsign's ocsp server (but with godaddy it worked).
My cmd was: openssl ocsp -host ocsp2.globalsign.com -noverify -no_nonce
-issuer issuer.crt -cert domain.crt -url
http://ocsp2.globalsign.com/gsalphag2
So...it would be nice if nginx did not block on startup or if there was a
setting that told nginx "you must startup within x seconds".
For now I will remove ssl_stapling support altogether.
best regards,
Can Özdemir
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,247966,247966#msg-247966
More information about the nginx
mailing list