#742 closed defect (worksforme)
OCSP stapling does not work at all when default_server runs with a self-signed certificate
| Reported by: | gummybearcandies.wordpress.com | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.7.x |
| Keywords: | SSL | Cc: | |
| uname -a: |
Linux Ubuntu 14.04.2, 64-bit, and whatever the latest packaged kernel release is (3.13.0-48-generic?)
(I'm not able to SSH into the box at the moment since I'm elsewhere) |
||
| nginx -V: |
1.6.2 w/ SSL module
(Again, I'm not able to SSH into the box at the moment since I'm elsewhere, but it is a built-from-source 1.6.2 with the SSL module) |
||
Description
The SSL module support of OCSP stapling does not function under the following combination:
1) OCSP stapling is enabled and configured properly in a SSL 'server' directive that does not have the 'default_server' declaration.
2) The SSL 'server' directive with the 'default_server' declaration uses a self-signed certificate without any OCSP support.
Expected result:
OCSP stapling should function for the first server directive even if the default server uses a SSL certificate that does not have OCSP information contained within it.
Actual result:
OCSP stapling is globally disabled because the default server does not have OCSP stapling support enabled. Since the default server is using a certificate without OCSP support, it is actually impossible to enable OCSP stapling without significant effort including, but not limited to, installing and maintaining an OCSP daemon to work around this bug in nginx.
Verified in 1.6.2. Nothing's shown up in the changelog since OCSP stapling support was introduced in 1.3.7, so this bug affects every version since then, including the 1.7.x series.
Change History (3)
comment:1 by , 10 years ago
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
comment:2 by , 10 years ago
The Internet disagrees with you:
https://gist.github.com/konklone/6532544
(Several comments)
https://blog.tyk.nu/blog/ocsp-stapling-in-nginx/
('nginx gotchas' section)
https://blog.kempkens.io/posts/ocsp-stapling-with-nginx/
('Update 1' section)
comment:3 by , 10 years ago
That's sad, but happens on a regular basis. Somebody is always wrong on the Internet, see http://xkcd.com/386/.
Works fine here, you are probably doing something wrong. Try asking mailing list for help.