OCSP stapling broken with 1.15.4

A. Schulze sca at andreasschulze.de
Mon Oct 1 13:04:57 UTC 2018


Bernardo Donadio:

> Hi.
>
> I've noticed that OCSP stapling was broken by 1.15.4, as you may see below:
>
> ---------- nginx 1.15.4 with OpenSSL 1.1.1 final --------
> $ openssl s_client -connect bcdonadio.com:443 -tlsextdebug -status
> CONNECTED(00000003)
> TLS server extension "renegotiation info" (id=65281), len=1
> 0000 - 00                                                .
> TLS server extension "EC point formats" (id=11), len=4
> 0000 - 03 00 01 02                                       ....
> TLS server extension "session ticket" (id=35), len=0
> TLS server extension "extended master secret" (id=23), len=0
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = bcdonadio.com
> verify return:1
> OCSP response: no response sent


works here:


$ openssl11 version
OpenSSL 1.1.1  11 Sep 2018

$ echo | openssl11 s_client -connect andreasschulze.de:443 -servername  
andreasschulze.de -tlsextdebug -status 2>&1 | grep -i ocsp
OCSP response:
OCSP Response Data:
     OCSP Response Status: successful (0x0)
     Response Type: Basic OCSP Response


(webserver) # nginx -V
nginx version: nginx/1.15.4
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/usr ...

worth to mention: I'm using the configuration option "ssl_stapling_file"

If you don't use ssl_stapling_file, after a nginx restart the first  
TLS session will not contain OCSP data.
Did you try to measure twice?



Andreas




More information about the nginx mailing list