Issue with OCSP stapling when server certificate has been revoked by CA

Maxim Dounin mdounin at mdounin.ru
Sun Apr 13 10:39:25 UTC 2014 

Hello!

On Sun, Apr 13, 2014 at 11:27:17AM +0300, shimi wrote:

> Hi,
> 
> I'm contacting the list after doing some Google-foo and not finding
> anything - not sure if this is due to my searching skills, or because
> nobody ever asked about this... pardon me if it's a known issue, and a link
> to a relevant resource would be appreciated in such a case.
> 
> I'm using Nginx as a reverse HTTP proxy to Tomcat, primarily for the
> purpose of doing OCSP stapling.
> 
> When Nginx starts for the first time, and there's no cached OCSP response,
> the first client to try an OCSP will fail; I understand that this is by
> design, and I've overcome it by simply 'warming' the cached manually by
> using OpenSSL's s_client...  of course I'll be happy to learn there's a way
> to make Nginx block and get OCSP response if there's a cache miss (I
> understand that blocking every time in case of OCSP server being down won't
> help performance much, but I guess cache can be negative in such a case,
> instead of a miss, and maybe this is already the case...)
> 
> Anyways, that's not the main issue I have.
> 
> The main issue I have is that when a revoked certificate is being used by
> Nginx, and an OCSP is being conducted against the server port where this
> certificate is served.
> 
> Watching the packets arriving from ocsp.digicert.com via Wireshark, I see
> the OCSP response saying that the certificate is revoked (so, Nginx seems
> to be querying the OCSP server fine?), and I also see this in Nginx's error
> log:
> 
> 2014/04/07 17:44:41 [error] 27005#0: certificate status "revoked" in the
> OCSP response while requesting certificate status, responder:
> ocsp.digicert.com
> 
> Yet, the OpenSSL s_client, even after multiple attempts (so the cache
> should be "warm"), returns that no OCSP response was returned from the
> server...
> 
> Naturally, I would expect the response to be proxied by Nginx back to the
> client.
> 
> What am I missing / doing wrong? :)

As long as no good OCSP response is received, nginx will not 
staple anything as it doesn't make sense (moreover, it may be 
harmful, e.g. if the response isn't verified).

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx mailing list