Welcome! Log In Create A New Profile

Re: There is a newer OCSP response but was not provided by the server

Forum List Message List New Topic Print View

173279834462

September 23, 2015 01:33PM

Registered: 9 years ago
Posts: 37

> Simpliest solution would be to switch off OCSP response verification.

I have just tried it. It takes two hits from a client to fill the cache of its worker process.

There are two problems with this:

- the other worker processes are not primed on restart, and therefore clients that
require ocsp stapling wil print an error instead of rendering the page (my FF does it).

- the stapling is not verified...

> Alternatively, provide appropriate certificates via the
> ssl_trusted_certificate directive, see
> http://nginx.org/r/ssl_stapling_verify for details.

Yes, done that as well. The ssl_trusted_certificate includes the intermediate and the server's own.

However, ...

>> For verification to work, the certificate of the server certificate issuer, the root certificate,
>> and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.

So, nginx wants the root certificate too, which is non-sense. Can't nginx get the root certificate by itself?

Reply Quote

RSS

Subject	Author	Posted
There is a newer OCSP response but was not provided by the server	173279834462	September 22, 2015 05:33AM
Re: There is a newer OCSP response but was not provided by the server	Maxim Dounin	September 22, 2015 09:02AM
Re: There is a newer OCSP response but was not provided by the server	173279834462	September 22, 2015 05:21PM
Re: There is a newer OCSP response but was not provided by the server	Maxim Dounin	September 23, 2015 08:34AM
Re: There is a newer OCSP response but was not provided by the server	173279834462	September 23, 2015 09:42AM
Re: There is a newer OCSP response but was not provided by the server	itpp2012	September 23, 2015 11:29AM
Re: There is a newer OCSP response but was not provided by the server	Maxim Dounin	September 23, 2015 10:50AM
Re: There is a newer OCSP response but was not provided by the server	173279834462	September 23, 2015 11:39AM
Re: There is a newer OCSP response but was not provided by the server	Maxim Dounin	September 23, 2015 12:18PM
Re: There is a newer OCSP response but was not provided by the server	173279834462	September 23, 2015 12:53PM
Re: There is a newer OCSP response but was not provided by the server	Maxim Dounin	September 23, 2015 01:22PM
Re: There is a newer OCSP response but was not provided by the server	173279834462	September 23, 2015 01:33PM
Re: There is a newer OCSP response but was not provided by the server	173279834462	September 23, 2015 01:35PM
Re: There is a newer OCSP response but was not provided by the server	173279834462	September 23, 2015 01:39PM
Re: There is a newer OCSP response but was not provided by the server	173279834462	September 23, 2015 01:41PM
Re: There is a newer OCSP response but was not provided by the server	173279834462	September 23, 2015 02:22PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 271

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018