OCSP checks fail only on 1st site hit; OK afterwards ?

PGNet Dev pgnet.dev at gmail.com
Wed Nov 9 21:34:19 UTC 2022


an old, 2015 post from Caddy Webserver's author,

	OCSP Stapling Robustness in Apache and nginx
	 https://gist.github.com/mholt/3b4910c802b2ed7e92294e26a1ae8551

comments,

	"...
	nginx's logic is a lot more robust than Apache's in this regard. Good OCSP responses are cached for an hour, but are not replaced until a successful new response has been received, meaning nginx can weather temporary OCSP responder outages. Unfortunately, nginx's logic is drastically worse in a different way: nginx kicks off OCSP queries on-demand, during the TLS handshake, but continues the handshake without waiting for the OCSP response to return. And since the OCSP response caches are unique per worker process, the first TLS connection handled by any given worker process never has a response stapled! (By the way, this makes testing whether you've properly enabled OCSP stapling rather annoying and confusing if you don't know about this.) This behavior also means that if a worker process sites idle for a long time, it doesn't refresh its OCSP responses and could staple an expired OCSP response on the next request it handles. [Update: the expired response issue is fixed in nginx 1.9.2. Now, if the cached OCSP response is expired, no response at all is stapled. A query to the OCSP responder is still initiated in the background, so subsequent handshakes should have a fresh stapled response.]
	..."

that suggests an 'updated' (back then, as of v >= 1.9.2) behavior of no OCSP response on 1st try, but a background-queried-and-cached ok response subsequently.

which, sounds like what i'm seeing.


> i run nginx/1.23.2 on linux
> 
> after a clear reboot, on first access to my site front page, I see in log
> 
>      ==> /var/log/nginx/example.com.443.error.log <==
>      2022/11/09 12:38:15 [info] 1460#1460: *2 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 2601:...:xxx1, server: [2600:...:xxx6]:443
> 
> if I immediately just reload the page in browser, no more problem; the page renders ok, SSL check out, all site nav is fine
> 
> subsequent hits to the front page are also OK
...

is that (still?) the current mode of operation in nginx's ocsp logic ?




More information about the nginx mailing list