Opened 7 months ago
#2648 new defect
Nginx will disable ocsp stapling over all domains even if one is bogus
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | |
Component: | documentation | Version: | 1.25.x |
Keywords: | Cc: | bahat.gil@… | |
uname -a: | Linux dev-redacted-gil 6.8.0-1007-azure #7-Ubuntu SMP Sat Apr 20 00:06:31 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.26.1
built by gcc 13.2.0 (Ubuntu 13.2.0-23ubuntu4) built with OpenSSL 3.0.13 30 Jan 2024 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/data/builder/debuild/nginx-1.26.1/debian/debuild-base/nginx-1.26.1=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/data/builder/debuild/nginx-1.26.1/debian/debuild-base/nginx-1.26.1=/usr/src/nginx-1.26.1-2~noble -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
Description
Hi,
I have configured nginx for SNI-based vhosting for several known subdomains. the default certificate is not meant to be used, so it is set with a bogus, snakeoil certificate.
when starting nginx, it will complain about the snakeoil certificate being incompatible with OCSP stapling and then proceed to disable OCSP stapling for all domains, including ones with valid certificates.
Jun 09 13:38:11 dev-redacted-gil nginx[1124]: nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem"
expected behaviour: disabling OCSP stapling should be done only for the invalid certificate
steps to reproduce:
- create an nginx configuration with sni vhosting.
- add a default_server snakeoil SSL configuration
- add a valid vhost with valid TLS certificates
- turn on OCSP stapling