id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
465	OCSP stapling fails to query StartCom's OCSP responder in HTTP 1.1	David Huang		"Currently, Nginx's OCSP stapling doesn't work with StartCom's OCSP responders.

nginx.conf:
{{{
ssl_stapling on;
resolver 8.8.8.8;
}}}

After restarting the ngnix server, an error is logged.

error.log:
{{{
2013/12/07 19:49:07 [error] 15898#0: certificate status ""unknown"" in the OCSP response while requesting certificate status, responder: ocsp.startssl.com
}}}

However, my certificate is a valid certificate and has not been revoked. It turns out that StartCom's OCSP responders expect HTTP 1.1 requests, which OpenSSL isn't doing by default, and could be enabled by specifying the HTTP Host header. (See [https://forum.startcom.org/viewtopic.php?f=15&t=2661])

OpenSSL command:
{{{
openssl ocsp -issuer sub.class1.server.ca.pem -cert ssl.crt -url http://ocsp.startssl.com/sub/class1/server/ca
}}}
Output (Bad):
{{{
Error querying OCSP responsder
140735231251296:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=400,Reason=Bad Request
}}}

OpenSSL command with HOST header:
{{{
openssl ocsp -issuer sub.class1.server.ca.pem -cert ssl.crt -url http://ocsp.startssl.com/sub/class1/server/ca -header ""HOST"" ""ocsp.startssl.com""
}}}
Output (Good):
{{{
WARNING: no nonce in response
Response Verify Failure
140735231251296:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate
ssl.crt: good
	This Update: Dec  8 18:33:05 2013 GMT
	Next Update: Dec 10 18:33:05 2013 GMT
}}}"	defect	closed	minor		nginx-module	1.3.x	worksforme	ssl, stapling, ocsp		Linux vps 2.6.32-042stab076.7 #1 SMP Thu Apr 25 13:35:47 MSK 2013 x86_64 GNU/Linux	nginx version: nginx/1.5.7