Opened 12 months ago
Last modified 12 months ago
#2579 reopened defect
OCSP stapling vs. $ssl_server_name
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | |
Component: | other | Version: | 1.25.x |
Keywords: | OCSP $ssl_server_name | Cc: | |
uname -a: | Linux tbd 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.24.0
built by gcc 11.2.0 (Ubuntu 11.2.0-19ubuntu1) built with OpenSSL 3.0.2 15 Mar 2022 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.24.0/debian/debuild-base/nginx-1.24.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
Description
Sorry if you prefer to be contacted via discord first, but I never got the invitation link there...
I was investigating why OCSP stapling doesn´t work in my configuration and doing experiments I discovered, that if you use statements
ssl_certificate /etc/letsencrypt/live/$ssl_server_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_server_name/privkey.pem;
instead of the real name of the server, OCSP stapling via
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/some.real.dom/chain.pem;
is ignored.
During my experiments I also discovered that using $ssl_server_name within ssl_trusted_certificate causes an error. As I am using "generic" configurations for a whole bunch of websites I definitely consider that a feature.
Not sure what component this is related to, please adjust if necessary.
Change History (3)
comment:1 by , 12 months ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:2 by , 12 months ago
I was kind of expecting that you consider this a feature. I still want to point out that there is neither any hint in the documentation that OCSP with variables is supported nor any warning or error in the log that it is not going to work.
At least I was not expecting this not to work, or only after I figured out the cause.
comment:3 by , 12 months ago
Resolution: | wontfix |
---|---|
Status: | closed → reopened |
Yes, this behaviour is expected. Since dynamically loaded certificates are only loaded for a particular connection, these do not keep and/or update OCSP response to be stapled. If you want OCSP stapling to work, consider using statically loaded certificates.
The ssl_trusted_certificate directive does not support variables. Note that only some directives support variables, and if a directive supports variables, this is explicitly documented.