Opened 5 years ago

Closed 5 years ago

#832 closed defect (wontfix)

OCSP_basic_verify : unable to get certificate CRL

Reported by: mttcr@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.8.x
Keywords: ocsp, ssl, crl Cc:
uname -a: Linux xxxx 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.8.0
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1)
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6

Description

Hello,
I am configuring a server with OCSP stapling.
I have the following error :

2015/11/12 16:35:25 [error] 10140#0: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get certificate CRL) while requesting certificate status, responder: gu.symcd.com

I have the same error while trying the following SSL command

openssl verify -verbose -issuer_checks -crl_check_all -CAfile trusted.crt  my.crt
OU = GTxxx, OU = See www.geotrust.com/resources/cps (c)15, OU = Domain Control Validated - QuickSSL(R) Premium, CN = xxx.com
error 3 at 0 depth lookup:unable to get certificate CRL
(from strace : stat("/usr/lib/ssl/certs/d84ef247.r0", 0x7fff569a0c70) = -1 ENOENT (No such file or directory) )

If I manually download the CRLs (from intermediate and mine) and add them to the trusted.crt list it works.

But, shoudn't nginx proceed with ocsp rather than checking with CRLs ? Why does it need the CRL ?
With openssl it is sucessful :

 openssl ocsp -issuer intermediate.crt -cert my.crt -CAfile trusted.crt -text -url http://gu.symcd.com
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 0BFE6BED5F81B8D22D7578CFB3E64ECD41AF6D93
          Issuer Key Hash: 0B50EC77EF2A9BFFEC03A10AFFADC6E42A18C73E
          Serial Number: 0266CA
    Request Extensions:
        OCSP Nonce:
            04107AB006C3D74145C9102E34EABEAA7C20
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: E1F8C2DBEB0FB09E4C064D0A850DBE1E41BAB82E
    Produced At: Nov 11 08:49:40 2015 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 0BFE6BED5F81B8D22D7578CFB3E64ECD41AF6D93
      Issuer Key Hash: 0B50EC77EF2A9BFFEC03A10AFFADC6E42A18C73E
      Serial Number: 0266CA
    Cert Status: good
    This Update: Nov 11 08:49:40 2015 GMT
    Next Update: Nov 18 08:49:40 2015 GMT
...

Note : I also use Client Certificate Authentication.

My conf contains :

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_certificate     chain.crt;
ssl_certificate_key my.key;
ssl_verify_client on;
ssl_client_certificate myCA.crt;
ssl_crl myCA.crl;
ssl_verify_depth 2;
ssl_trusted_certificate trusted.crl

Change History (1)

comment:1 by Maxim Dounin, 5 years ago

Resolution: wontfix
Status: newclosed

When ssl_crl is used, it applies to OCSP verifications as well, because OCSP response verification uses the same trusted certificate store. And as it requires CRLs for all intermediate certificates involved, verification fails.

Correct resolution would be to improve OpenSSL's OCSP response verification to only require an issuer certificate (and don't require anything else, including trusted certs store). This is expected to be possible as per RFC 6960, and will make OCSP response verification trivial. This is about OpenSSL code though, and I wouldn't expect it to happen soon.

Trivial workaround would be to keep OCSP response verification off, which is the default. Alternatively, you can provide appropriate CRLs.

Note: See TracTickets for help on using tickets.