There is a newer OCSP response but was not provided by the server

173279834462 nginx-forum at
Wed Sep 23 13:42:32 UTC 2015

> Though not providing an OCSP response isn't a problem at all 
> as OCSP stapling is just an optimization, and

Well. it *is* a problem. 

Without stapling, each client that hits our server also hits the ocsp
In our case, the ocsp server is overloaded (StartSSL), and therefore we
can help by caching the response and delivering it ouselves. 

There is another, more general problem: ocsp servers may log the hits.
Although this may not happen with StartSSL (we do not know for sure), 
it is still a concern on privacy of clients and profiling of all sorts. 

> there is no need to care about pre-caching things.

If it works, yes. 
If it does not work, then we must update manually. 
One wants to avoid the latter case. 

> As long as there are clients who ask your server about an OCSP response 
>- nginx will load it and will provide it to clients as needed.

It is *not* working. Please move on with the wishful thinking. It would be
great if things were as you say. In reality, they are not. 

I think we agree that the following openssl test would be sufficient
and good to ask the server about an OCSP response. In practice, 
nginx is still not delivering as intended. 

echo QUIT \
   | openssl s_client \
   -CAfile /etc/ssl/ca-bundle.pem \
   -connect $fqdn:443 \
   -servername $fqdn \
   -tlsextdebug \
   -status 2>&1

where fqdn is the server's address.

Posted at Nginx Forum:,261716,261767#msg-261767

More information about the nginx mailing list