id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1867 Cached TLS 1.2+ECDSA OCSP must staple validation is not used to serve TLS1.3+CSDSA OCSP request (for the same EC certificate) Дилян Палаузов "I have Nginx 1.16.1 serving both TLS 1.3 and TLS 1.2 and offering RSA and EC certificates, runnig at https://anciens.org . The certificates are from Let's encrypt and have OCSP MUST STAPLE. Lets Encrypt does not issue a single OCSP validation for two certificates (a RSA and an EC certficate). Nginx does accept two ssl_certificate directives per server (one for RSA and one for EC), but does not accept two ssl_stapling_file. So in order to serve the clients, right after starting Nginx I obain from it for TLS1.2 the RSA certificate and ask for the OCSP validation. Then I obtain from Nginx for TLS1.3 the EC certificate and ask for the OCSP validation. After Nginx has the OCSP validations, I expect from it, when serving TLS 1.3 over EC to deliver these validations. But it does not. So I have, after starting Nging to call all of: echo Q|/usr/local/bin/openssl s_client -status -tls1_2 -cipher aRSA -connect anciens.org:443 &> /dev/null echo Q|/usr/local/bin/openssl s_client -status -tls1_2 -cipher aECDSA -connect anciens.org:443 &> /dev/null echo Q|/usr/local/bin/openssl s_client -status -tls1_3 -connect anciens.org:443 &> /dev/null The output of OCSP Response Data:Serial Number differs only for TLS 1.2 with RSA. The problem report is, that once Nginx has cached OCSP validation for TLS 1.2+ECDSA, when serving TLS1.3+ECDSA it does not use the obtained validation, but fails, until it fetches a new one." defect closed minor other 1.16.x invalid Linux 4.14.120 #1 SMP Fri May 17 14:20:14 UTC 2019 x86_64 GNU/Linux "nginx version: nginx/1.16.1 built by gcc 9.2.1 20190917 (GCC) built with OpenSSL 1.1.1d 10 Sep 2019 TLS SNI support enabled configure arguments: --pid-path=/var/run/nginx.pid --conf-path=/etc/nginx/core.conf --error-log-path=/var/log/nginx/nginx.log --without-poll_module --without-select_module --with-file-aio --with-http_ssl_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_degradation_module --with-http_stub_status_module --http-log-path=/var/log/nginx --with-pcre --with-pcre-jit --without-http_ssi_module --without-http_scgi_module --without-http_upstream_ip_hash_module --without-http_split_clients_module --without-http_empty_gif_module --with-http_v2_module --add-module=../ngx_http_substitutions_filter_module --add-module=/git/nginx-dav-ext-module/ --with-cc-opt='-flto -pipe -O3' --with-ld-opt='-flto=6 -Wl,-s,-O1'"