Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#742 closed defect (worksforme)

OCSP stapling does not work at all when default_server runs with a self-signed certificate

Reported by: gummybearcandies.wordpress.com Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.7.x
Keywords: SSL Cc:
uname -a: Linux Ubuntu 14.04.2, 64-bit, and whatever the latest packaged kernel release is (3.13.0-48-generic?)
(I'm not able to SSH into the box at the moment since I'm elsewhere)
nginx -V: 1.6.2 w/ SSL module
(Again, I'm not able to SSH into the box at the moment since I'm elsewhere, but it is a built-from-source 1.6.2 with the SSL module)

Description

The SSL module support of OCSP stapling does not function under the following combination:

1) OCSP stapling is enabled and configured properly in a SSL 'server' directive that does not have the 'default_server' declaration.

2) The SSL 'server' directive with the 'default_server' declaration uses a self-signed certificate without any OCSP support.

Expected result:

OCSP stapling should function for the first server directive even if the default server uses a SSL certificate that does not have OCSP information contained within it.

Actual result:

OCSP stapling is globally disabled because the default server does not have OCSP stapling support enabled. Since the default server is using a certificate without OCSP support, it is actually impossible to enable OCSP stapling without significant effort including, but not limited to, installing and maintaining an OCSP daemon to work around this bug in nginx.

Verified in 1.6.2. Nothing's shown up in the changelog since OCSP stapling support was introduced in 1.3.7, so this bug affects every version since then, including the 1.7.x series.

Change History (3)

comment:1 by Maxim Dounin, 9 years ago

Resolution: worksforme
Status: newclosed

Works fine here, you are probably doing something wrong. Try asking mailing list for help.

comment:2 by gummybearcandies.wordpress.com, 9 years ago

The Internet disagrees with you:

https://gist.github.com/konklone/6532544
(Several comments)

https://blog.tyk.nu/blog/ocsp-stapling-in-nginx/
('nginx gotchas' section)

https://blog.kempkens.io/posts/ocsp-stapling-with-nginx/
('Update 1' section)

comment:3 by Maxim Dounin, 9 years ago

That's sad, but happens on a regular basis. Somebody is always wrong on the Internet, see http://xkcd.com/386/.

Note: See TracTickets for help on using tickets.