Opened 5 years ago

Closed 5 years ago

#865 closed defect (invalid)

OCSP (ssl module)

Reported by: proArtex@… Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.4.x
Keywords: ssl, ocsp Cc:
uname -a: Linux rutracker.space 3.13.0-68-generic #111-Ubuntu SMP Fri Nov 6 18:17:06 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/nginx-vKB75B/nginx-1.4.6/debian/modules/nginx-auth-pam --add-module=/build/nginx-vKB75B/nginx-1.4.6/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-vKB75B/nginx-1.4.6/debian/modules/nginx-echo --add-module=/build/nginx-vKB75B/nginx-1.4.6/debian/modules/nginx-upstream-fair --add-module=/build/nginx-vKB75B/nginx-1.4.6/debian/modules/ngx_http_substitutions_filter_module

Description

Hello.

I have bought an SSL certificate (Comodo PositiveSSL) using namecahep.com service and configured nginx webserver for domain s.rutracker.space (https://s.rutracker.space/).

SSL check status is A+: https://www.ssllabs.com/ssltest/analyze.html?d=s.rutracker.space. Another ssl checker: https://www.sslchecker.com/sslchecker?su=7198874d48aff28a909a5beb3422170d.

But in nginx log i saw "2015/12/20 22:54:55 [error] 15300#0: OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.comodoca.com". Namecheap support told me that OCSP doesn't work and they was trying to find a solution for an hour. Comodo support recommends me to follow this instruction: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1015/0/.

Seems everything should works but it doesn't.

nginx config:

resolver_timeout 10s;
resolver 8.8.8.8;

server {

listen 443 deferred spdy ssl;
listen [::]:443 deferred spdy ssl ipv6only=on;
server_name s.rutracker.space;
root /usr/share/nginx/www/rutracker.space;
server_tokens off;
keepalive_timeout 70;

# ssl
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 60m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/full_chain.pem;

add_header "Strict-Transport-Security" "max-age=31536000";
add_header "X-Frame-Options" "SAMEORIGIN";
add_header "X-Content-Type-Options" "nosniff";
add_header "X-XSS-Protection" "1; mode=block";

location / {

try_files $uri $uri/ /tmp.txt =404;

}

location ~ /\. {

access_log off;
log_not_found off;
deny all;

}

location ~ ~$ {

access_log off;
log_not_found off;
deny all;

}

}

Change History (4)

comment:1 by Maxim Dounin, 5 years ago

Resolution: invalid
Status: newclosed

The OCSP response returned is signed by a certificate which is not present in your trusted list. This may happen if:

  • trusted list as set by ssl_trusted_certificate doesn't contain needed certificates;
  • the OCSP response returned is signed by a wrong certificate.

Either way, doesn't looks like an nginx bug. If in doubt, switch off ssl_stapling_verify.

comment:2 by proArtex@…, 5 years ago

Disabling of "ssl_stapling_verify" directive doesn't make sense:

015/12/22 20:00:52 [error] 5464#0: OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.comodoca.com

Comodo gives me full-chain certificates, that is in "ssl_trusted_certificate". https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/979/1056459

comment:3 by proArtex@…, 5 years ago

Resolution: invalid
Status: closedreopened

comment:4 by Maxim Dounin, 5 years ago

Resolution: invalid
Status: reopenedclosed

If you are using an old OpenSSL library, you may be facing an old OpenSSL bug described in ticket #556. Fix is to either upgrade OpenSSL or to make sure issuer certificate is available in the certificate chain, as described in docs.

Please use support options available if you need further help. Trac is to track bugs, it's a wrong place to ask for help with configuration.

Note: See TracTickets for help on using tickets.