How to enable OCSP stapling when default server is self-signed?
Maxim Dounin
mdounin at mdounin.ru
Wed Sep 28 21:14:22 UTC 2016
Hello!
On Wed, Sep 28, 2016 at 12:44:45PM -0400, hotwirez wrote:
[...]
> I wanted to mention that I've run into this issue as well when trying to
> enable OCSP stapling, where I have a default_deny SSL server that has a
> self-signed certificate where I don't want to use OCSP stapling, and other
> actual server entries for actual sites where I want OCSP stapling enabled.
> If I enable stapling for only the real sites, it appears to be silently
> disabled. If I enable it for all server instances, it notices that the
> default server uses a self-signed certificate and disables stapling. If I
> remove the default server, OCSP stapling works for the remaining sites, but
> then accessing the site using a means other than the correct server name
> provides the SSL certificate for one of the servers.
Problems with OCSP stapling if it is disabled in the default
server{} block were traced to be an OpenSSL bug, silently fixed in
1.0.0m/1.0.1g/1.0.2. See here for details:
https://trac.nginx.org/nginx/ticket/810
If you see the problem it means you have to update the OpenSSL
library you are using.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list