Opened 11 years ago
Closed 11 years ago
#465 closed defect (worksforme)
OCSP stapling fails to query StartCom's OCSP responder in HTTP 1.1
| Reported by: | David Huang | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.3.x |
| Keywords: | ssl, stapling, ocsp | Cc: | |
| uname -a: | Linux vps 2.6.32-042stab076.7 #1 SMP Thu Apr 25 13:35:47 MSK 2013 x86_64 GNU/Linux | ||
| nginx -V: | nginx version: nginx/1.5.7 | ||
Description
Currently, Nginx's OCSP stapling doesn't work with StartCom's OCSP responders.
nginx.conf:
ssl_stapling on; resolver 8.8.8.8;
After restarting the ngnix server, an error is logged.
error.log:
2013/12/07 19:49:07 [error] 15898#0: certificate status "unknown" in the OCSP response while requesting certificate status, responder: ocsp.startssl.com
However, my certificate is a valid certificate and has not been revoked. It turns out that StartCom's OCSP responders expect HTTP 1.1 requests, which OpenSSL isn't doing by default, and could be enabled by specifying the HTTP Host header. (See https://forum.startcom.org/viewtopic.php?f=15&t=2661)
OpenSSL command:
openssl ocsp -issuer sub.class1.server.ca.pem -cert ssl.crt -url http://ocsp.startssl.com/sub/class1/server/ca
Output (Bad):
Error querying OCSP responsder 140735231251296:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=400,Reason=Bad Request
OpenSSL command with HOST header:
openssl ocsp -issuer sub.class1.server.ca.pem -cert ssl.crt -url http://ocsp.startssl.com/sub/class1/server/ca -header "HOST" "ocsp.startssl.com"
Output (Good):
WARNING: no nonce in response Response Verify Failure 140735231251296:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate ssl.crt: good This Update: Dec 8 18:33:05 2013 GMT Next Update: Dec 10 18:33:05 2013 GMT
Attachments (2)
Change History (6)
by , 11 years ago
follow-up: 3 comment:1 by , 11 years ago
I'm not sure whether Nginx's OCSP query fails exactly because of the OpenSSL behavior, but it might be a thing to check.
follow-up: 4 comment:2 by , 11 years ago
I've seen the same errors.
However, with ssl_stapling_verify off; and running ssllabs against my site, it does report OCSP stapling as being enabled. If I set ssl_stapling_verify on; then it reports it as off, which makes me (perhaps naively) think it's working.
comment:3 by , 11 years ago
Replying to David Huang <linshunghuang@gmail.com>:
I'm not sure whether Nginx's OCSP query fails exactly because of the OpenSSL behavior, but it might be a thing to check.
No, OpenSSL behaviour is unrelated, nginx uses his own simple HTTP client implementation to query OCSP responders. While it uses HTTP/1.0, it does with Host header in a request, and everything is expected to just work with StartCom.
Your certificate is recently issued though, and errors seen in nginx logs is likely just indication that information about your certificate isn't yet available on all StartCom's OCSP responders.
comment:4 by , 11 years ago
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
Replying to Rich Midwinter <rich.midwinter@gmail.com>:
I've seen the same errors.
However, with ssl_stapling_verify off; and running ssllabs against my site, it does report OCSP stapling as being enabled. If I set ssl_stapling_verify on; then it reports it as off, which makes me (perhaps naively) think it's working.
So, basically, it works, but as errors logged - nginx is not always able to get a valid OCSP response. Thanks you for confirmation, closing this as "works for me".
As for ssl_stapling_verify, please see documentation - to work it needs full certificate chain to be available for verification, which is usually not the case. It should be much easier, but unfortunately works only this way due to OpenSSL limitation. And that's actually why it's off by default.
Server certificate