#740 closed defect (wontfix)
ssl_staping not working with WoSign SSL certificates
| Reported by: | openid.yandex.ru/tmatm24 | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | nginx-module | Version: | 1.6.x |
| Keywords: | SSL, OCSP, WoSign | Cc: | |
| uname -a: | Linux server 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u1 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.6.2
built by gcc 4.7.2 (Debian 4.7.2-5) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-cc-opt='-g -O2 -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,--as-needed --with-ipv6 --with-http_perl_module |
||
Description
Here is the description of the problem with OCSP-responder:
http://habrahabr.ru/post/254231/#comment_8350543
Change History (2)
comment:1 by , 10 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:2 by , 9 years ago
The GET request is not the problem here. WoSign's OCSP server do answer GET requests if sent "properly". The problem here is that ngx_escape_uri() encodes the last = of the URL as %2d instead %2D. RFC3986, section 2.1 uses the term "should be uppercase" it also says "'A' through 'F' are equivalent to the lowercase digits 'a' through 'f'".
Thankfully this has been fixed in nginx 1.7.4 via "Core: use uppercase hexadecimal digits for percent-encoding." and now it works (just confirmed).
Note:
See TracTickets
for help on using tickets.
The problem itself seems to be with a particular OCSP responder, not with nginx. You may try reporting it to the Certificate Authority support. The same escaping as used by nginx is also seen, e.g., in Opera browser OCSP requests, so they are likely have larger problems than non-working OCSP stapling with nginx.
Note well that there are no plans to support POST OCSP requests. The POST request method is widely understood to be bad for OCSP requests as it doesn't allow effective HTTP-level caching.