How to enable OCSP stapling when default server is self-signed?
hotwirez
nginx-forum at forum.nginx.org
Thu Sep 29 13:17:32 UTC 2016
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Wed, Sep 28, 2016 at 12:44:45PM -0400, hotwirez wrote:
>
> [...]
>
> > I wanted to mention that I've run into this issue as well when
> trying to
> > enable OCSP stapling, where I have a default_deny SSL server that
> has a
> > self-signed certificate where I don't want to use OCSP stapling, and
> other
> > actual server entries for actual sites where I want OCSP stapling
> enabled.
> > If I enable stapling for only the real sites, it appears to be
> silently
> > disabled. If I enable it for all server instances, it notices that
> the
> > default server uses a self-signed certificate and disables stapling.
> If I
> > remove the default server, OCSP stapling works for the remaining
> sites, but
> > then accessing the site using a means other than the correct server
> name
> > provides the SSL certificate for one of the servers.
>
> Problems with OCSP stapling if it is disabled in the default
> server{} block were traced to be an OpenSSL bug, silently fixed in
> 1.0.0m/1.0.1g/1.0.2. See here for details:
>
> https://trac.nginx.org/nginx/ticket/810
>
> If you see the problem it means you have to update the OpenSSL
> library you are using.
>
Thank you; it's great you tracked that down! I am on OpenSSL 1.0.1f and
Nginx 1.4.6; (Ubuntu 14.04 via apt), so that makes sense. I'll upgrade.
Thanks again!
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,257833,269955#msg-269955
More information about the nginx
mailing list