Opened 5 years ago
Last modified 3 years ago
#1675 new enhancement
OCSP stapling not working in stream area
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | other | Version: | 1.15.x |
| Keywords: | Cc: | ||
| uname -a: | Linux host 4.18.0-2-amd64 #1 SMP Debian 4.18.10-2 (2018-11-02) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.15.6
built by gcc 8.2.0 (Debian 8.2.0-9) built with OpenSSL 1.1.1a-dev xx XXX xxxx TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-cc-opt='-DTCP_FASTOPEN=23 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -DNGX_LUA_USE_ASSERT -DNGX_LUA_ABORT_AT_PANIC' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --add-module=ngx_brotli --with-openssl=../OpenSSL_1_1_1-stable --with-openssl-opt=enable-tls1_3 --with-debug --add-module=ngx_devel_kit --add-module=set-misc-nginx-module --add-module=ngx_http_auth_pam_module --add-module=lua-nginx-module |
||
Description
I have set up a mail-proxy setup and wanted to use OCSP stapling for the public certificates, which is not working.
Whatever I tried, I just get the following error:
nginx: [emerg] "ssl_stapling_file" directive is not allowed here
stream {
log_format basic '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time $ssl_cipher' ;
access_log /var/log/nginx/stream.log basic buffer=32k;
map $ssl_preread_server_name $ssl_multiplexer {
~smtp 127.0.0.1:8040;
~imap 127.0.0.1:8042;
~pop3 127.0.0.1:8043;
default 127.0.0.1:8042;
}
server {
listen 192.168.0.99:443;
ssl_preread on;
proxy_pass $ssl_multiplexer;
proxy_protocol on;
}
server {
listen 127.0.0.1:8040 ssl proxy_protocol;
ssl_certificate smtp.chain.pem;
ssl_certificate_key smtp.privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:Stream:10m;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_ssl on;
proxy_pass 192.168.0.99:465;
proxy_ssl_name smtp.example.com;
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1.3;
}
server {
listen 127.0.0.1:8042 ssl proxy_protocol;
ssl_certificate imap.chain.pem;
ssl_certificate_key imap.privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:Stream:10m;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_ssl on;
proxy_pass 192.168.0.99:993;
proxy_ssl_name imap.example.com;
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1.3;
}
server {
listen 127.0.0.1:8043 ssl proxy_protocol;
ssl_certificate pop3.chain.pem;
ssl_certificate_key pop3.privkey.pem;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:Stream:10m;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_ssl on;
proxy_pass 192.168.0.99:995;
proxy_ssl_name pop3.example.com;
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1.3;
}
}
How can I enable OCSP stapling for this Stream-Servers?
I wanted to use OCSP-Must-staple Certificates, which are actually not working.
Did anyone have a chance to take a look on this issue?