stable | mainline - encoding error ssl_stapling_file

[Maxim Dounin]

Hello!

On Fri, Jan 04, 2019 at 05:57:56AM +0100, ѽ҉ḳ℠ wrote:

>    On 04.01.2019 05:35, Maxim Dounin wrote:
> 
>      The "ssl_stapling_file" directive needs an OCSP response obtained
> from your certificate authority, not a certificate.  As you are
> trying to put a certificate instead, parsing expectedly fails.
> 
>    Thanks for the explanation which was not clear to me from the online
>    documentation.

The documentation is pretty clear - it says you need an OCSP 
response, and it references appropriate openssl subcommand to 
generate one (http://nginx.org/r/ssl_stapling_file):

: When set, the stapled OCSP response will be taken from the specified file
: instead of querying the OCSP responder specified in the server certificate.
:
: The file should be in the DER format as produced by the “openssl ocsp”
: command.

>    So basically nginx does not work as an OCSP responder
>    for domains with self-signed certificates unless the domain deploys its
>    own responder. Too bad as I had hoped that the "ssl_stapling_file"
>    directive would be able to process an OSCP certificate rather than a
>    response from a responder.

Using OCSP (or any other revocation checking mechanism) with 
self-signed certificates simply does not make sense: as long as 
the certificate is compromissed, everything signed by this 
certificate is compromissed too, including any possible OCSP 
responses. 

OCSP stapling might make sense if you are instead running an 
internal CA and use certificates signed by this CA, but the CA 
does not have an OCSP responder configured.  In this case, you can 
produce an OCSP response using the "openssl ocsp" command.  Please 
refer to its manual page ("man ocsp") for details.

-- 
Maxim Dounin
http://mdounin.ru/