Multi Certificate Support with OCSP not working right

Maxim Dounin mdounin at mdounin.ru
Thu Sep 8 21:11:37 UTC 2016


Hello!

On Sat, Sep 03, 2016 at 09:09:19AM -0400, mastercan wrote:

> When using 2 certificates, 1 RSA (using AlphaSSL) and 1 ECDSA (using Lets
> Encrypt), and I try to connect via RSA SSL connection, nginx throws this
> error:
> 
> "OCSP response not successful (6: unauthorized) while requesting certificate
> status, responder: ocsp.int-x3.letsencrypt.org"
> 
> So it is using the wrong responder.
> 
> Following build (custom compiled):
> Nginx 1.11.3
> Openssl 1.1.0
> 
> AFAIK OpenSSL 1.1.0 should support multiple certificate chains. I don't
> quite understand why OCSP then is not working right?

It looks like there is a bug which prevents nginx from using 
different OCSP reponders when using OCSP stapling with multiple 
certificates.  It uses the responder from the last certificate in 
the server{} block for all OCSP requests.

Please try the following patch:

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1473367064 -10800
#      Thu Sep 08 23:37:44 2016 +0300
# Node ID 2037cc64cdceb5b8cb36103cdd9d00e05b8e7ec3
# Parent  4a16fceea03bde6653e05d337e87907f085535b3
OCSP stapling: fixed using wrong responder with multiple certs.

diff --git a/src/event/ngx_event_openssl_stapling.c 
b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -376,6 +376,7 @@ ngx_ssl_stapling_responder(ngx_conf_t *c
 {
     ngx_url_t                  u;
     char                      *s;
+    ngx_str_t                  rsp;
     STACK_OF(OPENSSL_STRING)  *aia;
 
     if (responder->len == 0) {
@@ -403,6 +404,8 @@ ngx_ssl_stapling_responder(ngx_conf_t *c
             return NGX_DECLINED;
         }
 
+        responder = &rsp;
+
         responder->len = ngx_strlen(s);
         responder->data = ngx_palloc(cf->pool, responder->len);
         if (responder->data == NULL) {

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list