How to enable OCSP stapling when default server is self-signed?

Mon May 11 14:31:05 UTC 2015

173279834462 Wrote:
-------------------------------------------------------
> > Note that this isn't really indicate anything: there are two forms
> of OCSP requests, POST and GET. And Firefox uses POST, while nginx
> uses GET. Given the fact that the responder was completely broken just
> a few days ago - it's quite possible that it's still broken for GETs
> in some cases.
> 
> To comply with local security policy, we disabled POST globally on all
> public-facing servers. 
> This has the advantage of killing web 2.0 and all of its
> vulnerabilities with one simple rule, emphasis on *killing web 2.0*. 
> Yes, the sites are read-only, and we just love it that way. 
> 
> For each vhost, 
> "ssl_certificate_key" includes the vhost's private key, 
> "ssl_certificate" includes the vhosts's public key (leaf) AND the
> intermediate key of the Issuer, 
> "ssl_trusted_certificate" includes the certificate chain in full (leaf
> + intermediate + root CA), 
> all in PEM format. 
> 
> The openssl test works as expected:
> 
> vhost="<your-domain-here>"; echo Q | openssl s_client -CAfile
> /path/to/your/local/trust/store/ca-bundle.pem -tls1 -tlsextdebug
> -status -connect $vhost:443 -servername $vhost 2>&1 | less
> 
> There are two problems. 
> 
> problem 1
> -------------
> 
> nginx's "ssl_certificate" (note the singular) is truly a bundle of the
> certificate and the intermediate. 
> In fact, if we remove the intermediate, we break the chain. 
> 
> The description for "ssl_certificate" is also misleading. 
> 
> "Specifies a file with the certificate in the PEM format for the given
> virtual server. If intermediate certificates should be specified in
> addition to a primary certificate, they should be specified in the
> same file in the following order: the primary certificate comes first,
> then the intermediate certificates. A secret key in the PEM format may
> be placed in the same file. "
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
> 
> 
> Although the above sentence "If intermediate certificates should be
> specified" suggests that one may omit the intermediate certificate, in
> reality you can only do this if you are the CA. I do not wish to sound
> opinionated here, because I am making an effort to stick to the facts:
> if we remove the intermediate, we do break the chain and the openssl
> test complains loudly. 
> 
> Therefore, if your own facts correspond to the above, then the
> solution is to edit nginx's source to limit "ssl_certificate" to the
> leaf's public key only, and correct the description accordingly. The
> intermediate(s) can be bundled in a separate file. 
> 
> It would be easier on the eyes to re-write the keywords as well: 
> 
> ssl_certificate_key -----> private_certificate
> ssl_certificate 1/2  ------> public_certificate
> ssl_certificate 2/2 -------> public_intermediate_certificates
> ssl_trusted_certificate -> public_ca_certificate
> 
> In so doing, the configuration would finally be unambiguous. 
> 
> problem 2
> --------------
> 
> If it is true that FF uses POST to *read*, by default, then this
> explains the original problem with OCSP, and the fact that nginx is
> well configured and openssl and other browsers do work as expected.
> Google and other search engines show that Firefox has been affected by
> this OCSP problem for a long time. Perhaps they could start using GET
> like everybody else?

Umm...please don't hijack threads.  Your issue(s) are not related to the
main thread and are even partially off-topic for nginx.  Hijacking threads
is distracting for those who run threaded clients.

My issue regarding OCSP stapling still remains unresolved.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,257833,258801#msg-258801