Opened 9 years ago
Closed 9 years ago
#832 closed defect (wontfix)
OCSP_basic_verify : unable to get certificate CRL
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-module | Version: | 1.8.x |
Keywords: | ocsp, ssl, crl | Cc: | |
uname -a: | Linux xxxx 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.8.0
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1) built with OpenSSL 1.0.1f 6 Jan 2014 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6 |
Description
Hello,
I am configuring a server with OCSP stapling.
I have the following error :
2015/11/12 16:35:25 [error] 10140#0: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get certificate CRL) while requesting certificate status, responder: gu.symcd.com
I have the same error while trying the following SSL command
openssl verify -verbose -issuer_checks -crl_check_all -CAfile trusted.crt my.crt OU = GTxxx, OU = See www.geotrust.com/resources/cps (c)15, OU = Domain Control Validated - QuickSSL(R) Premium, CN = xxx.com error 3 at 0 depth lookup:unable to get certificate CRL
(from strace : stat("/usr/lib/ssl/certs/d84ef247.r0", 0x7fff569a0c70) = -1 ENOENT (No such file or directory) )
If I manually download the CRLs (from intermediate and mine) and add them to the trusted.crt list it works.
But, shoudn't nginx proceed with ocsp rather than checking with CRLs ? Why does it need the CRL ?
With openssl it is sucessful :
openssl ocsp -issuer intermediate.crt -cert my.crt -CAfile trusted.crt -text -url http://gu.symcd.com OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 0BFE6BED5F81B8D22D7578CFB3E64ECD41AF6D93 Issuer Key Hash: 0B50EC77EF2A9BFFEC03A10AFFADC6E42A18C73E Serial Number: 0266CA Request Extensions: OCSP Nonce: 04107AB006C3D74145C9102E34EABEAA7C20 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: E1F8C2DBEB0FB09E4C064D0A850DBE1E41BAB82E Produced At: Nov 11 08:49:40 2015 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 0BFE6BED5F81B8D22D7578CFB3E64ECD41AF6D93 Issuer Key Hash: 0B50EC77EF2A9BFFEC03A10AFFADC6E42A18C73E Serial Number: 0266CA Cert Status: good This Update: Nov 11 08:49:40 2015 GMT Next Update: Nov 18 08:49:40 2015 GMT ...
Note : I also use Client Certificate Authentication.
My conf contains :
ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; ssl_certificate chain.crt; ssl_certificate_key my.key; ssl_verify_client on; ssl_client_certificate myCA.crt; ssl_crl myCA.crl; ssl_verify_depth 2; ssl_trusted_certificate trusted.crl
Note:
See TracTickets
for help on using tickets.
When
ssl_crl
is used, it applies to OCSP verifications as well, because OCSP response verification uses the same trusted certificate store. And as it requires CRLs for all intermediate certificates involved, verification fails.Correct resolution would be to improve OpenSSL's OCSP response verification to only require an issuer certificate (and don't require anything else, including trusted certs store). This is expected to be possible as per RFC 6960, and will make OCSP response verification trivial. This is about OpenSSL code though, and I wouldn't expect it to happen soon.
Trivial workaround would be to keep OCSP response verification off, which is the default. Alternatively, you can provide appropriate CRLs.