Opened 7 years ago

Closed 7 years ago

#465 closed defect (worksforme)

OCSP stapling fails to query StartCom's OCSP responder in HTTP 1.1

Reported by: David Huang Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.3.x
Keywords: ssl, stapling, ocsp Cc:
uname -a: Linux vps 2.6.32-042stab076.7 #1 SMP Thu Apr 25 13:35:47 MSK 2013 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.5.7

Description

Currently, Nginx's OCSP stapling doesn't work with StartCom's OCSP responders.

nginx.conf:

ssl_stapling on;
resolver 8.8.8.8;

After restarting the ngnix server, an error is logged.

error.log:

2013/12/07 19:49:07 [error] 15898#0: certificate status "unknown" in the OCSP response while requesting certificate status, responder: ocsp.startssl.com

However, my certificate is a valid certificate and has not been revoked. It turns out that StartCom's OCSP responders expect HTTP 1.1 requests, which OpenSSL isn't doing by default, and could be enabled by specifying the HTTP Host header. (See https://forum.startcom.org/viewtopic.php?f=15&t=2661)

OpenSSL command:

openssl ocsp -issuer sub.class1.server.ca.pem -cert ssl.crt -url http://ocsp.startssl.com/sub/class1/server/ca

Output (Bad):

Error querying OCSP responsder
140735231251296:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=400,Reason=Bad Request

OpenSSL command with HOST header:

openssl ocsp -issuer sub.class1.server.ca.pem -cert ssl.crt -url http://ocsp.startssl.com/sub/class1/server/ca -header "HOST" "ocsp.startssl.com"

Output (Good):

WARNING: no nonce in response
Response Verify Failure
140735231251296:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate
ssl.crt: good
	This Update: Dec  8 18:33:05 2013 GMT
	Next Update: Dec 10 18:33:05 2013 GMT

Attachments (2)

ssl.crt (2.2 KB ) - added by David Huang 7 years ago.
Server certificate
sub.class1.server.ca.pem (2.2 KB ) - added by David Huang 7 years ago.
Issuer Certificate

Download all attachments as: .zip

Change History (6)

by David Huang, 7 years ago

Attachment: ssl.crt added

Server certificate

by David Huang, 7 years ago

Attachment: sub.class1.server.ca.pem added

Issuer Certificate

comment:1 by David Huang, 7 years ago

I'm not sure whether Nginx's OCSP query fails exactly because of the OpenSSL behavior, but it might be a thing to check.

comment:2 by Rich Midwinter, 7 years ago

I've seen the same errors.

However, with ssl_stapling_verify off; and running ssllabs against my site, it does report OCSP stapling as being enabled. If I set ssl_stapling_verify on; then it reports it as off, which makes me (perhaps naively) think it's working.

in reply to:  1 comment:3 by Maxim Dounin, 7 years ago

Replying to David Huang <linshunghuang@gmail.com>:

I'm not sure whether Nginx's OCSP query fails exactly because of the OpenSSL behavior, but it might be a thing to check.

No, OpenSSL behaviour is unrelated, nginx uses his own simple HTTP client implementation to query OCSP responders. While it uses HTTP/1.0, it does with Host header in a request, and everything is expected to just work with StartCom.

Your certificate is recently issued though, and errors seen in nginx logs is likely just indication that information about your certificate isn't yet available on all StartCom's OCSP responders.

in reply to:  2 comment:4 by Maxim Dounin, 7 years ago

Resolution: worksforme
Status: newclosed

Replying to Rich Midwinter <rich.midwinter@gmail.com>:

I've seen the same errors.

However, with ssl_stapling_verify off; and running ssllabs against my site, it does report OCSP stapling as being enabled. If I set ssl_stapling_verify on; then it reports it as off, which makes me (perhaps naively) think it's working.

So, basically, it works, but as errors logged - nginx is not always able to get a valid OCSP response. Thanks you for confirmation, closing this as "works for me".

As for ssl_stapling_verify, please see documentation - to work it needs full certificate chain to be available for verification, which is usually not the case. It should be much easier, but unfortunately works only this way due to OpenSSL limitation. And that's actually why it's off by default.

Note: See TracTickets for help on using tickets.