Opened 4 months ago

Closed 4 months ago

#1998 closed defect (duplicate)

SSL Stapling not preloading OCSP answer

Reported by: Zocker1999NET@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.14.x
Keywords: ssl, stapling Cc: Zocker1999NET@…
uname -a: Linux nvak 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.14.2
built with OpenSSL 1.1.1c 28 May 2019 (running with OpenSSL 1.1.1d 10 Sep 2019)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-tBUzFN/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-subs-filter

Description

I use certificates by Let's Encrypt with OCSP MUST STAPLE enabled.
ssl_stapling on; is enabled globally and specific in all server blocks with additional configuration. However after an restart of nginx, nginx fails to serve the OCSP data on the first request due to not preloading. This happens to all server blocks separately meaning to ensure no user of my web services is getting an error because of being the first visitor, I need to call each virtual server manually.

I used Mozilla Firefox to test this issue, and it aborts the request if the OCSP data is missing because of being the first visitor of the website. Chrome seems to ignore the flag.

Change History (1)

comment:1 by Maxim Dounin, 4 months ago

Resolution: duplicate
Status: newclosed

The OCSP stapling doesn't imply nor require that stapled OCSP response is always available. The OCSP "must staple", however, is a completely different thing, and getting OCSP "must staple" to work with nginx might be tricky: you have to either ensure that OCSP responses are preloaded somehow, or have to use ssl_stapling_file and provide responses yourself. Avoid using OCSP "must staple" flag in certificates unless you are going to deal with this.

Closing this as a duplicate of #812, which is about improving compatibility with "must staple" without using ssl_stapling_file.

Note: See TracTickets for help on using tickets.