Opened 4 years ago
Closed 4 years ago
#1998 closed defect (duplicate)
SSL Stapling not preloading OCSP answer
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-module | Version: | 1.14.x |
Keywords: | ssl, stapling | Cc: | Zocker1999NET@… |
uname -a: | Linux nvak 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.14.2
built with OpenSSL 1.1.1c 28 May 2019 (running with OpenSSL 1.1.1d 10 Sep 2019) TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-tBUzFN/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-subs-filter |
Description
I use certificates by Let's Encrypt with OCSP MUST STAPLE enabled.
ssl_stapling on;
is enabled globally and specific in all server blocks with additional configuration. However after an restart of nginx, nginx fails to serve the OCSP data on the first request due to not preloading. This happens to all server blocks separately meaning to ensure no user of my web services is getting an error because of being the first visitor, I need to call each virtual server manually.
I used Mozilla Firefox to test this issue, and it aborts the request if the OCSP data is missing because of being the first visitor of the website. Chrome seems to ignore the flag.
The OCSP stapling doesn't imply nor require that stapled OCSP response is always available. The OCSP "must staple", however, is a completely different thing, and getting OCSP "must staple" to work with nginx might be tricky: you have to either ensure that OCSP responses are preloaded somehow, or have to use
ssl_stapling_file
and provide responses yourself. Avoid using OCSP "must staple" flag in certificates unless you are going to deal with this.Closing this as a duplicate of #812, which is about improving compatibility with "must staple" without using ssl_stapling_file.