OCSP stapling does not work at all when default_server runs with a self-signed certificate
|Reported by:||gummybearcandies.wordpress.com||Owned by:|
Linux Ubuntu 14.04.2, 64-bit, and whatever the latest packaged kernel release is (3.13.0-48-generic?)
(I'm not able to SSH into the box at the moment since I'm elsewhere)
1.6.2 w/ SSL module
(Again, I'm not able to SSH into the box at the moment since I'm elsewhere, but it is a built-from-source 1.6.2 with the SSL module)
The SSL module support of OCSP stapling does not function under the following combination:
1) OCSP stapling is enabled and configured properly in a SSL 'server' directive that does not have the 'default_server' declaration.
2) The SSL 'server' directive with the 'default_server' declaration uses a self-signed certificate without any OCSP support.
OCSP stapling should function for the first server directive even if the default server uses a SSL certificate that does not have OCSP information contained within it.
OCSP stapling is globally disabled because the default server does not have OCSP stapling support enabled. Since the default server is using a certificate without OCSP support, it is actually impossible to enable OCSP stapling without significant effort including, but not limited to, installing and maintaining an OCSP daemon to work around this bug in nginx.
Verified in 1.6.2. Nothing's shown up in the changelog since OCSP stapling support was introduced in 1.3.7, so this bug affects every version since then, including the 1.7.x series.