There is a newer OCSP response but was not provided by the server

Maxim Dounin mdounin at mdounin.ru
Wed Sep 23 14:49:27 UTC 2015


Hello!

On Wed, Sep 23, 2015 at 09:42:32AM -0400, 173279834462 wrote:

> > Though not providing an OCSP response isn't a problem at all 
> > as OCSP stapling is just an optimization, and
> 
> Well. it *is* a problem. 
> 
> Without stapling, each client that hits our server also hits the ocsp
> server. 
> In our case, the ocsp server is overloaded (StartSSL), and therefore we
> can help by caching the response and delivering it ouselves. 

The problem here is that OCSP server is overloaded.  The fact that
nginx isn't able to provide help in this situation to a few first 
connections is at most lack of optimisation.

> There is another, more general problem: ocsp servers may log the hits.
> Although this may not happen with StartSSL (we do not know for sure), 
> it is still a concern on privacy of clients and profiling of all sorts. 

That's the problem with OCSP, not with nginx.  Clients who 
consider this to be a problem can use other ways to check 
certificate validity, including CRLs and CRLsets.

> > there is no need to care about pre-caching things.
> 
> If it works, yes. 
> If it does not work, then we must update manually. 
> One wants to avoid the latter case. 

Consider switching to a CA which works?

If you OCSP server is overloaded and not able to respond to 
requests, nginx won't be able to load an OCSP response as 
well, and nothing would help.

If your OCSP server is responding - at least to some requests - 
nginx eventually will be able to load a response and will start 
serving it to clients.

> > As long as there are clients who ask your server about an OCSP response 
> >- nginx will load it and will provide it to clients as needed.
> 
> It is *not* working. Please move on with the wishful thinking. It would be
> great if things were as you say. In reality, they are not. 
> 
> I think we agree that the following openssl test would be sufficient
> and good to ask the server about an OCSP response. In practice, 
> nginx is still not delivering as intended. 
> 
> echo QUIT \
>    | openssl s_client \
>    -CAfile /etc/ssl/ca-bundle.pem \
>    -connect $fqdn:443 \
>    -servername $fqdn \
>    -tlsextdebug \
>    -status 2>&1
> 
> where fqdn is the server's address.

I believe I already explained how it works, but let me repeat.  As 
soon nginx sees an connection with Certificate Status Request TLS 
extension, it will start loading an OCSP response from you CA OCSP 
responder.  Once the response is loaded, it will be stapled to 
further connections.  It is not possible to return an OCSP 
response in connection which was first to request it due to 
OpenSSL API limitations and the fact that loading a response can 
take a while.

That is, assuming 1 worker process and just started nginx, an OCSP 
staple is expected to be returned on the second connection with 
"openssl s_client -status ...".

Note though that if your CA OCSP responder is overloaded and not 
responding, it is likely that nginx won't be able to load a 
response, much like your clients.  In this case nginx will retry 
loading a response each 5 minutes.

As far as I understand, what you are asking about is a persistent 
cache of OCSP responses, to mitigate your CA's OCSP responder 
availability issues.  This is not a feature currently available in 
nginx (and you've choosen very wrong way to ask for a feature in 
an open source project).

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list