There is a newer OCSP response but was not provided by the server
Maxim Dounin
mdounin at mdounin.ru
Wed Sep 23 12:33:19 UTC 2015
Hello!
On Tue, Sep 22, 2015 at 05:21:27PM -0400, 173279834462 wrote:
> The purpose of the ssl_stapling_file was to prime the cache. Without that
> file, openssl says "OCSP response: no response sent". For nginx to load the
> cache by itself, clients have to hit the same worker process a few times. I
> currently have 8 worker processes, which means that the server needs at
> least 8 simultaneous client who are knowledgeable and patient enough to hit
> the server a few times, purging the cache of their browser each time. This
> does not work seem to work all the times, however. I have a www to non-www
> redirection with stapling enabled on both. Hitting www does not fill the
> cache, and I keep seeing "OCSP response: no response sent". Am I missing
> something?
Yes. Two basic points:
- The ssl_stapling_file directive completely replaces nginx OCSP
stapling logic, and it can't be used to only provide some
"initial" OCSP response; it is to be used when you want to
implement your own OCSP distribution logic (e.g., on a server
without direct access to OCSP responder), and/or for debugging.
- OCSP responses are loaded once nginx sees connections with
Certificate Status Request TLS extension, i.e., a client asks
nginx to provide stapled OCSP response (and this happens
per-worker). Though not providing an OCSP response isn't a
problem at all as OCSP stapling is just an optimization, and
there is no need to care about pre-caching things. As long as there
are clients who ask your server about an OCSP response - nginx
will load it and will provide it to clients as needed.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list