OCSP malformedrequest with 1.9.7 and openssl 1.0.2e
agruener
nginx-forum at nginx.us
Fri Dec 4 22:40:02 UTC 2015
Hello,
OCSP is not working on my raspberrypi2 with nginx 1.9.7 and OpenSSL 1.0.2e.
I have compiled both together.
tail /var/log/nginx/error.log
2015/12/04 22:28:21 [error] 14841#0: OCSP response not successful (1:
malformedrequest) while requesting certificate status, responder:
ocsp.startssl.com
2015/12/04 22:28:29 [error] 14841#0: OCSP response not successful (1:
malformedrequest) while requesting certificate status, responder:
ocsp.startssl.com
2015/12/04 22:28:30 [error] 14842#0: OCSP response not successful (1:
malformedrequest) while requesting certificate status, responder:
ocsp.startssl.com
Got the ca-bundle.pem from https://www.startssl.com/certs/?C=S;O=D
/etc/nginx/sites-enabled $ cat default
....
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/my_ssl_certs/ca-bundle.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
.....
OCSP is not working after checks with sslabs and openssl e.g.
echo QUIT | openssl s_client -connect www.mydomain.com:443 -status 2>
/dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
According to https://www.ietf.org/rfc/rfc2560.txt the errors says:
....
OCSPResponseStatus ::= ENUMERATED {
malformedRequest (1), --Illegal confirmation request
....
My StartSSL certificates are SHA2
(https://www.startssl.com/certs/class1/sha2/pem/)
In /etc/nginx/sites-enabled/ I have more than one config / domain
configured. But it does not matter wether I only configure OCSP in every
single file or just default.
I only found a Bug message here: " OpenSSL OCSP Bad Request"
(http://jfcarter.net/~jimc/documents/bugfix/21-openssl-ocsp.html) saying you
have to add: -header "HOST" "ocsp.startssl.com"
My options for compiling openssl & nginx have been
./config --prefix=$STATICLIBSSL no-ssl2 no-ssl3 no-shared \
&& make depend \
&& make \
&& make install_sw
./configure --with-cc-opt="-I $STATICLIBSSL/include -I/usr/include" \
--with-ld-opt="-L $STATICLIBSSL/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-pcre=$BPATH/$VERSION_PCRE \
--with-http_ssl_module \
--with-http_v2_module \
--with-file-aio \
--with-ipv6 \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
&& make && make install
Any ideas ?
Thanks in advance,
Alexander
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,263279,263279#msg-263279
More information about the nginx
mailing list