Opened 2 years ago

Closed 2 years ago

Last modified 21 months ago

#740 closed defect (wontfix)

ssl_staping not working with WoSign SSL certificates

Reported by: Owned by:
Priority: critical Milestone:
Component: nginx-module Version: 1.6.x
Keywords: SSL, OCSP, WoSign Cc:
Sensitive: no
uname -a: Linux server 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u1 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.6.2 built by gcc 4.7.2 (Debian 4.7.2-5) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-cc-opt='-g -O2 -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,--as-needed --with-ipv6 --with-http_perl_module


Here is the description of the problem with OCSP-responder:

Change History (2)

comment:1 Changed 2 years ago by mdounin

  • Resolution set to wontfix
  • Status changed from new to closed

The problem itself seems to be with a particular OCSP responder, not with nginx. You may try reporting it to the Certificate Authority support. The same escaping as used by nginx is also seen, e.g., in Opera browser OCSP requests, so they are likely have larger problems than non-working OCSP stapling with nginx.

Note well that there are no plans to support POST OCSP requests. The POST request method is widely understood to be bad for OCSP requests as it doesn't allow effective HTTP-level caching.

comment:2 Changed 21 months ago by

The GET request is not the problem here. WoSign?'s OCSP server do answer GET requests if sent "properly". The problem here is that ngx_escape_uri() encodes the last = of the URL as %2d instead %2D. RFC3986, section 2.1 uses the term "should be uppercase" it also says "'A' through 'F' are equivalent to the lowercase digits 'a' through 'f'".

Thankfully this has been fixed in nginx 1.7.4 via "Core: use uppercase hexadecimal digits for percent-encoding." and now it works (just confirmed).

Note: See TracTickets for help on using tickets.