Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#1867 closed defect (invalid)

Cached TLS 1.2+ECDSA OCSP must staple validation is not used to serve TLS1.3+CSDSA OCSP request (for the same EC certificate)

Reported by: Дилян Палаузов Owned by:
Priority: minor Milestone:
Component: other Version: 1.16.x
Keywords: Cc:
uname -a: Linux 4.14.120 #1 SMP Fri May 17 14:20:14 UTC 2019 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.16.1
built by gcc 9.2.1 20190917 (GCC)
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --pid-path=/var/run/nginx.pid --conf-path=/etc/nginx/core.conf --error-log-path=/var/log/nginx/nginx.log --without-poll_module --without-select_module --with-file-aio --with-http_ssl_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_degradation_module --with-http_stub_status_module --http-log-path=/var/log/nginx --with-pcre --with-pcre-jit --without-http_ssi_module --without-http_scgi_module --without-http_upstream_ip_hash_module --without-http_split_clients_module --without-http_empty_gif_module
--with-http_v2_module --add-module=../ngx_http_substitutions_filter_module --add-module=/git/nginx-dav-ext-module/ --with-cc-opt='-flto -pipe -O3' --with-ld-opt='-flto=6 -Wl,-s,-O1'

Description

I have Nginx 1.16.1 serving both TLS 1.3 and TLS 1.2 and offering RSA and EC certificates, runnig at https://anciens.org . The certificates are from Let's encrypt and have OCSP MUST STAPLE.

Lets Encrypt does not issue a single OCSP validation for two certificates (a RSA and an EC certficate). Nginx does accept two ssl_certificate directives per server (one for RSA and one for EC), but does not accept two ssl_stapling_file.

So in order to serve the clients, right after starting Nginx I obain from it for TLS1.2 the RSA certificate and ask for the OCSP validation. Then I obtain from Nginx for TLS1.3 the EC certificate and ask for the OCSP validation. After Nginx has the OCSP validations, I expect from it, when serving TLS 1.3 over EC to deliver these validations. But it does not.

So I have, after starting Nging to call all of:

echo Q|/usr/local/bin/openssl s_client -status -tls1_2 -cipher aRSA -connect anciens.org:443 &> /dev/null
echo Q|/usr/local/bin/openssl s_client -status -tls1_2 -cipher aECDSA -connect anciens.org:443 &> /dev/null
echo Q|/usr/local/bin/openssl s_client -status -tls1_3 -connect anciens.org:443 &> /dev/null

The output of OCSP Response Data:Serial Number differs only for TLS 1.2 with RSA.

The problem report is, that once Nginx has cached OCSP validation for TLS 1.2+ECDSA, when serving TLS1.3+ECDSA it does not use the obtained validation, but fails, until it fetches a new one.

Change History (4)

comment:1 by Maxim Dounin, 5 years ago

How many worker processes do you have? Do you see the same behaviour with only one worker process?

comment:2 by Дилян Палаузов, 5 years ago

Then I obtain from Nginx for TLS1.3 the EC certificate and ask for the OCSP validation. After Nginx has the OCSP validations, I expect from it, when serving TLS 1.3 over EC to deliver these validations. But it does not.

Read (first 1.3 replaced with 1.2):

Then I obtain from Nginx for TLS1.2 the EC certificate and ask for the OCSP validation. After Nginx has the OCSP validations, I expect from it, when serving EC over TLS 1.3 to deliver these validations. But it does not.

How many worker processes do you have?

→ worker_processes 2;

Do you see the same behaviour with only one worker process?

No. With one worker process, after warming up with

(echo Q|/usr/local/bin/openssl s_client -status -tls1_2 -cipher aRSA -connect anciens.org:443 &> /dev/null &) ;
(echo Q|/usr/local/bin/openssl s_client -status -tls1_2 -cipher aECDSA -connect anciens.org:443 &> /dev/null &)

This returns OCSP stapled validation:

echo Q|/usr/local/bin/openssl s_client -status -tls1_3 -cipher aRSA -connect anciens.org:443

comment:3 by Maxim Dounin, 5 years ago

Resolution: invalid
Status: newclosed

Ok, thanks for confirming. So you are connecting to a different worker process, and that's why you see no OCSP response returned. It's not a bug, but rather warming up you use is not sufficient for your configuration.

comment:4 by Дилян Палаузов, 5 years ago

This way of operation (OCSP must staple + more than one worker processes + EC and RSA certificate) is very unfortunate.

The EC and RSA certifictae imply that ssl_stapling_file cannot be used with Lets's encrypt certificates, as their OCSP server does not issue one OCSP protocol for two certificates and ssl_stapling_file can be applied once.

The more than one worker mean several caches for OCSP data, and OCSP data is filled upon HTTPS request.

If Nginx is really supposed to work like that, then it shall be documented how to warm up all workers with OCSP data.

Note: See TracTickets for help on using tickets.