Welcome! Log In Create A New Profile

Advanced

Issue with OCSP stapling when server certificate has been revoked by CA

shimi
April 13, 2014 04:30AM
Hi,

I'm contacting the list after doing some Google-foo and not finding
anything - not sure if this is due to my searching skills, or because
nobody ever asked about this... pardon me if it's a known issue, and a link
to a relevant resource would be appreciated in such a case.

I'm using Nginx as a reverse HTTP proxy to Tomcat, primarily for the
purpose of doing OCSP stapling.

When Nginx starts for the first time, and there's no cached OCSP response,
the first client to try an OCSP will fail; I understand that this is by
design, and I've overcome it by simply 'warming' the cached manually by
using OpenSSL's s_client... of course I'll be happy to learn there's a way
to make Nginx block and get OCSP response if there's a cache miss (I
understand that blocking every time in case of OCSP server being down won't
help performance much, but I guess cache can be negative in such a case,
instead of a miss, and maybe this is already the case...)

Anyways, that's not the main issue I have.

The main issue I have is that when a revoked certificate is being used by
Nginx, and an OCSP is being conducted against the server port where this
certificate is served.

Watching the packets arriving from ocsp.digicert.com via Wireshark, I see
the OCSP response saying that the certificate is revoked (so, Nginx seems
to be querying the OCSP server fine?), and I also see this in Nginx's error
log:

2014/04/07 17:44:41 [error] 27005#0: certificate status "revoked" in the
OCSP response while requesting certificate status, responder:
ocsp.digicert.com

Yet, the OpenSSL s_client, even after multiple attempts (so the cache
should be "warm"), returns that no OCSP response was returned from the
server...

Naturally, I would expect the response to be proxied by Nginx back to the
client.

What am I missing / doing wrong? :)

Thanks a lot!

-- Shimi
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Issue with OCSP stapling when server certificate has been revoked by CA

shimi April 13, 2014 04:30AM

Re: Issue with OCSP stapling when server certificate has been revoked by CA

Maxim Dounin April 13, 2014 06:40AM

Re: Issue with OCSP stapling when server certificate has been revoked by CA

shimi April 13, 2014 06:58AM

Re: Issue with OCSP stapling when server certificate has been revoked by CA

Maxim Dounin April 13, 2014 11:12AM

Re: Issue with OCSP stapling when server certificate has been revoked by CA

shimi April 13, 2014 12:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 64
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready