Opened 9 years ago
Closed 9 years ago
#769 closed defect (fixed)
nginx 1.9.2 breaks ssl_stapling_file
Reported by: | Faidon Liambotis | Owned by: | Maxim Dounin |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-core | Version: | 1.9.x |
Keywords: | Cc: | ||
uname -a: | |||
nginx -V: |
nginx version: nginx/1.9.2
built with OpenSSL 1.0.1k 8 Jan 2015 TLS SNI support enabled |
Description
changeset 6181:6893a1007a7c ("OCSP stapling: avoid sending expired responses (ticket #425)"), included in 1.9.2, broke stapling with ssl_stapling_file (= no OCSP response is being stapled, despite that configuration directive being present).
The problems seems to lie here:
1.24 - if (staple->staple.len) {
1.25 + if (staple->staple.len
1.26 + && staple->valid >= ngx_time())
1.27 + {
That's from ngx_ssl_certificate_status_callback().
However, staple->valid is only set by ngx_ssl_stapling_ocsp_handler(), which is clearly only called when online stapling is being used.
Change History (5)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:3 by , 9 years ago
Thanks, here is slightly different patch to fix this:
# HG changeset patch # User Maxim Dounin <mdounin@mdounin.ru> # Date 1436197779 -10800 # Mon Jul 06 18:49:39 2015 +0300 # Node ID 12aa8e9ded17e1f037948864c914acb290670377 # Parent 33e62c32b9d602700a3cd48955067668fe9a86ab OCSP stapling: fixed ssl_stapling_file (ticket #769). Broken by 6893a1007a7c (1.9.2) during introduction of strict OCSP response validity checks. As stapling file is expected to be returned unconditionally, fix is to set its validity to the maximum supported time. Reported by Faidon Liambotis. diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c --- a/src/event/ngx_event_openssl_stapling.c +++ b/src/event/ngx_event_openssl_stapling.c @@ -245,6 +245,7 @@ ngx_ssl_stapling_file(ngx_conf_t *cf, ng staple->staple.data = buf; staple->staple.len = len; + staple->valid = NGX_MAX_TIME_T_VALUE; return NGX_OK;
Fix, from Brandon Black, a colleague at Wikimedia:
https://git.wikimedia.org/blob/operations%2Fsoftware%2Fnginx.git/b15a432da142c40a668f77ab85bdd37d6b53393f/debian%2Fpatches%2F2001-Stapling-File-Bugfix.patch