id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1675 OCSP stapling not working in stream area Tributh@… "I have set up a mail-proxy setup and wanted to use OCSP stapling for the public certificates, which is not working. Whatever I tried, I just get the following error: nginx: [emerg] ""ssl_stapling_file"" directive is not allowed here stream { log_format basic '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time $ssl_cipher' ; access_log /var/log/nginx/stream.log basic buffer=32k; map $ssl_preread_server_name $ssl_multiplexer { ~smtp 127.0.0.1:8040; ~imap 127.0.0.1:8042; ~pop3 127.0.0.1:8043; default 127.0.0.1:8042; } server { listen 192.168.0.99:443; ssl_preread on; proxy_pass $ssl_multiplexer; proxy_protocol on; } server { listen 127.0.0.1:8040 ssl proxy_protocol; ssl_certificate smtp.chain.pem; ssl_certificate_key smtp.privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_session_cache shared:Stream:10m; ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; proxy_ssl on; proxy_pass 192.168.0.99:465; proxy_ssl_name smtp.example.com; proxy_ssl_server_name on; proxy_ssl_protocols TLSv1.3; } server { listen 127.0.0.1:8042 ssl proxy_protocol; ssl_certificate imap.chain.pem; ssl_certificate_key imap.privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_session_cache shared:Stream:10m; ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; proxy_ssl on; proxy_pass 192.168.0.99:993; proxy_ssl_name imap.example.com; proxy_ssl_server_name on; proxy_ssl_protocols TLSv1.3; } server { listen 127.0.0.1:8043 ssl proxy_protocol; ssl_certificate pop3.chain.pem; ssl_certificate_key pop3.privkey.pem; ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_session_cache shared:Stream:10m; ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; proxy_ssl on; proxy_pass 192.168.0.99:995; proxy_ssl_name pop3.example.com; proxy_ssl_server_name on; proxy_ssl_protocols TLSv1.3; } } How can I enable OCSP stapling for this Stream-Servers? I wanted to use OCSP-Must-staple Certificates, which are actually not working. " enhancement new minor other 1.15.x "Linux host 4.18.0-2-amd64 #1 SMP Debian 4.18.10-2 (2018-11-02) x86_64 GNU/Linux " "nginx version: nginx/1.15.6 built by gcc 8.2.0 (Debian 8.2.0-9) built with OpenSSL 1.1.1a-dev xx XXX xxxx TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-cc-opt='-DTCP_FASTOPEN=23 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -DNGX_LUA_USE_ASSERT -DNGX_LUA_ABORT_AT_PANIC' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --add-module=ngx_brotli --with-openssl=../OpenSSL_1_1_1-stable --with-openssl-opt=enable-tls1_3 --with-debug --add-module=ngx_devel_kit --add-module=set-misc-nginx-module --add-module=ngx_http_auth_pam_module --add-module=lua-nginx-module "