Issue with OCSP stapling when server certificate has been revoked by CA
Maxim Dounin
mdounin at mdounin.ru
Sun Apr 13 10:39:25 UTC 2014
Hello!
On Sun, Apr 13, 2014 at 11:27:17AM +0300, shimi wrote:
> Hi,
>
> I'm contacting the list after doing some Google-foo and not finding
> anything - not sure if this is due to my searching skills, or because
> nobody ever asked about this... pardon me if it's a known issue, and a link
> to a relevant resource would be appreciated in such a case.
>
> I'm using Nginx as a reverse HTTP proxy to Tomcat, primarily for the
> purpose of doing OCSP stapling.
>
> When Nginx starts for the first time, and there's no cached OCSP response,
> the first client to try an OCSP will fail; I understand that this is by
> design, and I've overcome it by simply 'warming' the cached manually by
> using OpenSSL's s_client... of course I'll be happy to learn there's a way
> to make Nginx block and get OCSP response if there's a cache miss (I
> understand that blocking every time in case of OCSP server being down won't
> help performance much, but I guess cache can be negative in such a case,
> instead of a miss, and maybe this is already the case...)
>
> Anyways, that's not the main issue I have.
>
> The main issue I have is that when a revoked certificate is being used by
> Nginx, and an OCSP is being conducted against the server port where this
> certificate is served.
>
> Watching the packets arriving from ocsp.digicert.com via Wireshark, I see
> the OCSP response saying that the certificate is revoked (so, Nginx seems
> to be querying the OCSP server fine?), and I also see this in Nginx's error
> log:
>
> 2014/04/07 17:44:41 [error] 27005#0: certificate status "revoked" in the
> OCSP response while requesting certificate status, responder:
> ocsp.digicert.com
>
> Yet, the OpenSSL s_client, even after multiple attempts (so the cache
> should be "warm"), returns that no OCSP response was returned from the
> server...
>
> Naturally, I would expect the response to be proxied by Nginx back to the
> client.
>
> What am I missing / doing wrong? :)
As long as no good OCSP response is received, nginx will not
staple anything as it doesn't make sense (moreover, it may be
harmful, e.g. if the response isn't verified).
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list