OCSP stapling broken with 1.15.4

Bernardo Donadio bcdonadio at bcdonadio.com
Mon Oct 1 13:43:12 UTC 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/1/18 10:04 AM, A. Schulze wrote:
> Did you try to measure twice?

Indeed, with further tests I think that the stapling is working...
sometimes.

I've restored the 1.15.4 package and have been making some requests.
Some of them are correctly stapled, others do not. There's no restart
between tests.

I'm not using the staple file, though. Is this behavior expected
without such configuration? Also, I've enabled ssl_early_data.

[bcdonadio at RJ_DVP0100 ~]$ date; openssl s_client -connect
bcdonadio.com:443 -tlsextdebug -status 2>/dev/null | grep -i ocsp
Mon Oct  1 10:24:07 -03 2018
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
^C
[bcdonadio at RJ_DVP0100 ~]$ date; openssl s_client -connect
bcdonadio.com:443 -tlsextdebug -status 2>/dev/null | grep -i ocsp
Mon Oct  1 10:27:02 -03 2018
OCSP response: no response sent
^C
[bcdonadio at RJ_DVP0100 ~]$ date; openssl s_client -connect
bcdonadio.com:443 -tlsextdebug -status 2>/dev/null | grep -i ocsp
Mon Oct  1 10:39:18 -03 2018
OCSP response: no response sent
^C
[bcdonadio at RJ_DVP0100 ~]$ date; openssl s_client -connect
bcdonadio.com:443 -tlsextdebug -status 2>/dev/null | grep -i ocsp
Mon Oct  1 10:39:27 -03 2018
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
^C

- -- 
Bernardo Donadio
IT Automation Engineer at Stone Payments
https://bcdonadio.com/
-----BEGIN PGP SIGNATURE-----

iQEyBAEBCAAdFiEE8FSjwkTqZIehCHZPeerwWqhCJOUFAluyJGgACgkQeerwWqhC
JOWYMwf3fY7w+Dg3vYolWg5C0ySB71TwzUIYSJgWB5ZUXy6gRqLg5TUmkQuP04Gb
EcxOR3BVmOaXox3vYkedXwzC3KK7DGYbuqL4QciVPAh/lzYSvLhWn8ufdKVHXFaa
xuNA9tNd6UAFcty4SGdOraVrJ3JAtm9R8LvFA/baX5D7PItwupDWA/FsvqjILNiB
pLZTS05m8b2RWthNWIXEik8L/arbbp8dFzYskJDez8cZCn3Uew8GnHsaU7/h10bT
arUh3AvUbvapZsE6tfz74ko6tk9LHQyk/dHLJo9xR/f3EK55WQgWrwSuBFlAF7Fe
3uEQoFBwxc0gFo3GyBa3mHCjrs1t
=JlI3
-----END PGP SIGNATURE-----


More information about the nginx mailing list