OCSP stapling broken with 1.15.4
A. Schulze
sca at andreasschulze.de
Mon Oct 1 13:04:57 UTC 2018
Bernardo Donadio:
> Hi.
>
> I've noticed that OCSP stapling was broken by 1.15.4, as you may see below:
>
> ---------- nginx 1.15.4 with OpenSSL 1.1.1 final --------
> $ openssl s_client -connect bcdonadio.com:443 -tlsextdebug -status
> CONNECTED(00000003)
> TLS server extension "renegotiation info" (id=65281), len=1
> 0000 - 00 .
> TLS server extension "EC point formats" (id=11), len=4
> 0000 - 03 00 01 02 ....
> TLS server extension "session ticket" (id=35), len=0
> TLS server extension "extended master secret" (id=23), len=0
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = bcdonadio.com
> verify return:1
> OCSP response: no response sent
works here:
$ openssl11 version
OpenSSL 1.1.1 11 Sep 2018
$ echo | openssl11 s_client -connect andreasschulze.de:443 -servername
andreasschulze.de -tlsextdebug -status 2>&1 | grep -i ocsp
OCSP response:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
(webserver) # nginx -V
nginx version: nginx/1.15.4
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/usr ...
worth to mention: I'm using the configuration option "ssl_stapling_file"
If you don't use ssl_stapling_file, after a nginx restart the first
TLS session will not contain OCSP data.
Did you try to measure twice?
Andreas
More information about the nginx
mailing list