How to check nginx OCSP verification
B.R.
reallfqq-nginx at yahoo.fr
Tue Mar 1 17:12:42 UTC 2016
I do not want to validate OCSP responses client-side, which are OK.
I want to have details about the status nginx' validation of the initial
OCSP query it did to the OCSP responder of the CA, especially when it goes
wrong.
I noted that even though ssl_trusted_certificate is not set or set with a
wrong (set of) certificate(s), a cached OCSP response will served by nginx
to the client after an initial request has been made to a domain hosted by
it and served through TLS.
I want to know the consequences of having such a directive badly configured
:
- error.log message? Found nothing
- modified OCSP response? Nope
- ...
What am I supposed to notice and where/when?
---
*B. R.*
On Tue, Mar 1, 2016 at 5:33 PM, Alt <nginx-forum at forum.nginx.org> wrote:
> Hello,
>
> You can check with this command found on this website:
> https://unmitigatedrisk.com/?p=100
> openssl s_client -connect login.live.com:443 -tls1 -tlsextdebug -status
>
> If everything goes well, you should find something like:
> "OCSP response:
> ======================================
> OCSP Response Data:
> OCSP Response Status: successful (0x0)
> Response Type: Basic OCSP Response
> ..."
>
> If there's no stapling, you'll get:
> "OCSP response: no response sent".
>
> Please note: when you restart nginx, you won't get an OCSP answer
> immediatly. You'll have to visit the URL and wait a few seconds before
> having the stapling working for the next request. IIRC, this behavior is
> because OCSP servers may be slow to answer.
>
> Best Regards
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,264967,264977#msg-264977
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160301/cb1abd76/attachment.html>
More information about the nginx
mailing list