Opened 10 days ago

#2648 new defect

Nginx will disable ocsp stapling over all domains even if one is bogus

Reported by: bahat.gil@… Owned by:
Priority: major Milestone:
Component: documentation Version: 1.25.x
Keywords: Cc: bahat.gil@…
uname -a: Linux dev-redacted-gil 6.8.0-1007-azure #7-Ubuntu SMP Sat Apr 20 00:06:31 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.26.1
built by gcc 13.2.0 (Ubuntu 13.2.0-23ubuntu4)
built with OpenSSL 3.0.13 30 Jan 2024
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/data/builder/debuild/nginx-1.26.1/debian/debuild-base/nginx-1.26.1=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/data/builder/debuild/nginx-1.26.1/debian/debuild-base/nginx-1.26.1=/usr/src/nginx-1.26.1-2~noble -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

Hi,

I have configured nginx for SNI-based vhosting for several known subdomains. the default certificate is not meant to be used, so it is set with a bogus, snakeoil certificate.

when starting nginx, it will complain about the snakeoil certificate being incompatible with OCSP stapling and then proceed to disable OCSP stapling for all domains, including ones with valid certificates.

Jun 09 13:38:11 dev-redacted-gil nginx[1124]: nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem"

expected behaviour: disabling OCSP stapling should be done only for the invalid certificate

steps to reproduce:

  1. create an nginx configuration with sni vhosting.
  2. add a default_server snakeoil SSL configuration
  3. add a valid vhost with valid TLS certificates
  4. turn on OCSP stapling

Change History (0)

Note: See TracTickets for help on using tickets.