How to enable OCSP stapling when default server is self-signed?
Maxim Dounin
mdounin at mdounin.ru
Wed Apr 8 15:27:52 UTC 2015
Hello!
On Wed, Apr 08, 2015 at 02:30:12AM -0400, bughunter wrote:
> Maxim Dounin Wrote:
> -------------------------------------------------------
> > Hello!
> >
> > On Tue, Apr 07, 2015 at 12:26:23AM -0400, bughunter wrote:
> >
> > [...]
> >
> > > > > So how do I enable OCSP stapling for my vhosts when the default
> > > > server cert
> > > > > is self-signed? This seems like a potential bug in the nginx
> > SSL
> > > > module.
> > > >
> > > > Just enable ssl_stapling in appropriate server{} blocks.
> > >
> > > As far as I can tell, I'm already doing that:
> > >
> > > http://pastebin.com/Ymb5hxDP
> >
> > The configuration you are testing with seems to be
> > overcomplicated. Nevertheless, it should work assuming correct
> > certificates are supplied and OCSP responder works fine. What
> > makes you think that it doesn't work?
>
> Running the 'openssl s_client' command only returns "OCSP response: no
> response sent" as evidenced here (I've replaced the actual domain with
> "mydomain.org" in the command):
>
> # openssl s_client -servername mydomain.org -connect mydomain.org:443 -tls1
> -tlsextdebug -status
> CONNECTED(00000003)
> TLS server extension "server name" (id=0), len=0
> TLS server extension "renegotiation info" (id=65281), len=1
> 0001 - <SPACES/NULS>
> TLS server extension "EC point formats" (id=11), len=4
> 0000 - 03 00 01 02 ....
> TLS server extension "session ticket" (id=35), len=0
> TLS server extension "heartbeat" (id=15), len=1
> 0000 - 01 .
> OCSP response: no response sent
> ...
Note that a connection with a Sertificate Status Request will only
return a status if it is already loaded. If there is no OCSP
status available in the worker process, nginx will return no OCSP
status, but will initiate a request to OCSP responder. That is,
it may take a while before OCSP status will be available - even if
everything works fine.
[...]
> And the OCSP responder itself is working fine because Firefox is working
> fine (for the moment) and I can also ping the OCSP responder and access the
> OCSP responder directly using the URL in the certificate from the server
Note that this isn't really indicate anything: there are two forms of
OCSP requests, POST and GET. And Firefox uses POST, while nginx
uses GET. Given the fact that the responder was completely broken
just a few days ago - it's quite possible that it's still broken
for GETs in some cases.
> that nginx sits on. The CA's OCSP responder went down for a few hours a
> couple of days ago, which caused my browser (Firefox) to freak out and deny
> access to my own website. At that point I went about figuring out setting
> up OCSP stapling to prevent the issue from reoccurring in the future. The
> certificate has the v3 OCSP extension in it and it points at a valid
> location. There aren't any errors in the nginx logs about attempts to
> retrieve OCSP responses and failing. There are no errors, warnings, or
> notices during startup of nginx. I've reloaded and restarted nginx many
> times, rebooted the whole system one time, and run the "openssl s_client"
> command a bunch of times after each "long-shot" configuration adjustment
> (and reverted shortly after back to the config you saw in the pastebin).
I would recommend the following:
- test a trivial config with a single server{} block with the
certificate and "ssl_stapling on", nothing more; this should
rule out problems related to OCSP response verification, as well
as well as problems related to default vs. non-default server
you've claimed.
- try using debugging log to see what happens on low level in
nginx (see http://nginx.org/en/docs/debugging_log.html), and
tcpdump to see what happens on the wire between nginx and OCSP
responder.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list