Welcome! Log In Create A New Profile

Advanced

SSL_STAPLING when network is unreachable

February 26, 2014 11:39AM
Hello,

I've encountered a problem with nginx 1.5.10.
I'm running nginx on a highly available system (2 cluster node).

When node1 fails, node2 is automatically coming into play. A few days ago the internet connection was bad - on both nodes. They could ping the gateway only sporadically.
Node2 became the active one and tried to start nginx. Nginx did not even come up.

I replayed the whole scenario (switchover) with a working internet connection. Everything is running perfect then.
But with a broken internet connection nginx does not start up. It's hanging.

The reason is ssl_stapling I found out. Even when I set resolver_timeout to 5 seconds, nginx won't come up within 5 seconds with an internet connection with high packet loss.

Unfortunately I cannnot use "ssl_stapling_file". I tried fetching the OCSP response from globalsign but always get "error querying OCSP response" from globalsign's ocsp server (but with godaddy it worked).
My cmd was: openssl ocsp -host ocsp2.globalsign.com -noverify -no_nonce -issuer issuer.crt -cert domain.crt -url http://ocsp2.globalsign.com/gsalphag2

So...it would be nice if nginx did not block on startup or if there was a setting that told nginx "you must startup within x seconds".

For now I will remove ssl_stapling support altogether.

best regards,
Can Ă–zdemir
SubjectAuthorPosted

SSL_STAPLING when network is unreachable

mastercanFebruary 26, 2014 11:39AM

Re: SSL_STAPLING when network is unreachable

Maxim DouninFebruary 26, 2014 12:28PM

Re: SSL_STAPLING when network is unreachable

mastercanFebruary 26, 2014 02:32PM

Re: SSL_STAPLING when network is unreachable

Maxim DouninFebruary 27, 2014 06:58AM

Re: SSL_STAPLING when network is unreachable

mastercanFebruary 27, 2014 07:00AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 71
Record Number of Users: 7 on March 06, 2014
Record Number of Guests: 229 on August 01, 2014
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready