OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

agruener nginx-forum at nginx.us
Fri Dec 4 22:40:02 UTC 2015


Hello,

OCSP is not working on my raspberrypi2 with nginx 1.9.7 and OpenSSL 1.0.2e.
I have compiled both together.

tail /var/log/nginx/error.log

2015/12/04 22:28:21 [error] 14841#0: OCSP response not successful (1:
malformedrequest) while requesting certificate status, responder:
ocsp.startssl.com
2015/12/04 22:28:29 [error] 14841#0: OCSP response not successful (1:
malformedrequest) while requesting certificate status, responder:
ocsp.startssl.com
2015/12/04 22:28:30 [error] 14842#0: OCSP response not successful (1:
malformedrequest) while requesting certificate status, responder:
ocsp.startssl.com

Got the ca-bundle.pem from https://www.startssl.com/certs/?C=S;O=D

/etc/nginx/sites-enabled $ cat default
....
# OCSP Stapling
 	ssl_stapling            on;
	ssl_stapling_verify     on;
        ssl_trusted_certificate /etc/nginx/my_ssl_certs/ca-bundle.pem;
        resolver                8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 	5s;	
.....

OCSP is not working after checks with sslabs and openssl e.g.

echo QUIT | openssl s_client -connect www.mydomain.com:443 -status 2>
/dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'


According to https://www.ietf.org/rfc/rfc2560.txt the errors says:
....
OCSPResponseStatus ::= ENUMERATED {
       malformedRequest      (1),  --Illegal confirmation request
....

My StartSSL certificates are SHA2
(https://www.startssl.com/certs/class1/sha2/pem/)


In /etc/nginx/sites-enabled/ I have more than one config / domain
configured. But it does not matter wether I only configure OCSP in every
single file or just default.

I only found a Bug message here:  " OpenSSL OCSP Bad Request"
(http://jfcarter.net/~jimc/documents/bugfix/21-openssl-ocsp.html) saying you
have to add:    -header "HOST" "ocsp.startssl.com"


My options for compiling openssl & nginx have been

./config --prefix=$STATICLIBSSL no-ssl2 no-ssl3 no-shared \
&& make depend \
&& make \
&& make install_sw


./configure --with-cc-opt="-I $STATICLIBSSL/include -I/usr/include" \
--with-ld-opt="-L $STATICLIBSSL/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-pcre=$BPATH/$VERSION_PCRE \
--with-http_ssl_module \
--with-http_v2_module \
--with-file-aio \
--with-ipv6 \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
&& make && make install


Any ideas ?

Thanks in advance,
Alexander

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,263279,263279#msg-263279



More information about the nginx mailing list