Opened 2 years ago

Closed 2 years ago

#1413 closed defect (invalid)

OCSP no response sent

Reported by: richee.riches@… Owned by:
Priority: major Milestone: 1.13
Component: nginx-core Version:
Keywords: OCSP TLS Cc:
uname -a: Linux 2.6.32-696.13.2.el6.x86_64 #1 SMP Thu Oct 5 21:22:16 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.13.6 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC) built with OpenSSL 1.1.0f 25 May 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-openssl=openssl-1.1.0f --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Description

EN:
The start boot system, or reload/restart nginx not on first time received a OCSP response.
Also absent anyone warnings or errors in logs files and Nginx Amplify.

RU:
При старте системы, или рестарте сервиса nginx не с первого раза подтягивает OCSP response.
Также отсутствуют какие-либо предупреждения или ошибки в логах и Nginx Amplify.

[root@server ~]# openssl s_client -servername domain.tld -connect domain.tld:443 -status 2> /dev/null | grep -A 17 'OCSP response:'
OCSP response: no response sent
---
Certificate chain

0 s:/CN=domain.tld

i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

i:/O=Digital Signature Trust Co./CN=DST Root CA X3

---
Server certificate


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

[root@server ~]# openssl s_client -servername domain.tld -connect domain.tld:443 -status 2> /dev/null | grep -A 17 'OCSP response:'
OCSP response:
======================================
OCSP Response Data:

OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Oct 29 04:11:00 2017 GMT
Responses:
Certificate ID:

Hash Algorithm: sha1
Issuer Name Hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Issuer Key Hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Serial Number: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Cert Status: good
This Update: Oct 29 04:00:00 2017 GMT
Next Update: Nov 5 04:00:00 2017 GMT

Change History (1)

comment:1 Changed 2 years ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

This is expected behaviour. OCSP stapling is an optimization, and nginx starts loading an OCSP response once it receives the first handshake asking for it. Until the response is received from the OCSP responder, handshakes will have no OCSP response stapled.

See also ticket #812, which is a feature request about preloading OCSP responses on startup.

Note: See TracTickets for help on using tickets.