Opened 4 months ago

Last modified 3 months ago

#2579 reopened defect

OCSP stapling vs. $ssl_server_name

Reported by: joachimlindenberg@… Owned by:
Priority: major Milestone:
Component: other Version: 1.25.x
Keywords: OCSP $ssl_server_name Cc:
uname -a: Linux tbd 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.24.0
built by gcc 11.2.0 (Ubuntu 11.2.0-19ubuntu1)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.24.0/debian/debuild-base/nginx-1.24.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

Sorry if you prefer to be contacted via discord first, but I never got the invitation link there...

I was investigating why OCSP stapling doesn´t work in my configuration and doing experiments I discovered, that if you use statements

ssl_certificate /etc/letsencrypt/live/$ssl_server_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_server_name/privkey.pem;

instead of the real name of the server, OCSP stapling via

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/some.real.dom/chain.pem;


is ignored.

During my experiments I also discovered that using $ssl_server_name within ssl_trusted_certificate causes an error. As I am using "generic" configurations for a whole bunch of websites I definitely consider that a feature.

Not sure what component this is related to, please adjust if necessary.

Change History (3)

in reply to:  description comment:1 by Maxim Dounin, 4 months ago

Resolution: wontfix
Status: newclosed

I was investigating why OCSP stapling doesn´t work in my configuration and doing experiments I discovered, that if you use statements

ssl_certificate /etc/letsencrypt/live/$ssl_server_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_server_name/privkey.pem;

instead of the real name of the server, OCSP stapling via

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/some.real.dom/chain.pem;


is ignored.

Yes, this behaviour is expected. Since dynamically loaded certificates are only loaded for a particular connection, these do not keep and/or update OCSP response to be stapled. If you want OCSP stapling to work, consider using statically loaded certificates.

During my experiments I also discovered that using $ssl_server_name within ssl_trusted_certificate causes an error. As I am using "generic" configurations for a whole bunch of websites I definitely consider that a feature.

The ssl_trusted_certificate directive does not support variables. Note that only some directives support variables, and if a directive supports variables, this is explicitly documented.

comment:2 by joachimlindenberg@…, 4 months ago

I was kind of expecting that you consider this a feature. I still want to point out that there is neither any hint in the documentation that OCSP with variables is supported nor any warning or error in the log that it is not going to work.
At least I was not expecting this not to work, or only after I figured out the cause.

comment:3 by joachimlindenberg@…, 4 months ago

Resolution: wontfix
Status: closedreopened
Note: See TracTickets for help on using tickets.