Welcome! Log In Create A New Profile

Re: Issue with OCSP stapling when server certificate has been revoked by CA

Forum List Message List New Topic Print View

Maxim Dounin

April 13, 2014 06:40AM

Hello!

On Sun, Apr 13, 2014 at 11:27:17AM +0300, shimi wrote:

> Hi,
>
> I'm contacting the list after doing some Google-foo and not finding
> anything - not sure if this is due to my searching skills, or because
> nobody ever asked about this... pardon me if it's a known issue, and a link
> to a relevant resource would be appreciated in such a case.
>
> I'm using Nginx as a reverse HTTP proxy to Tomcat, primarily for the
> purpose of doing OCSP stapling.
>
> When Nginx starts for the first time, and there's no cached OCSP response,
> the first client to try an OCSP will fail; I understand that this is by
> design, and I've overcome it by simply 'warming' the cached manually by
> using OpenSSL's s_client... of course I'll be happy to learn there's a way
> to make Nginx block and get OCSP response if there's a cache miss (I
> understand that blocking every time in case of OCSP server being down won't
> help performance much, but I guess cache can be negative in such a case,
> instead of a miss, and maybe this is already the case...)
>
> Anyways, that's not the main issue I have.
>
> The main issue I have is that when a revoked certificate is being used by
> Nginx, and an OCSP is being conducted against the server port where this
> certificate is served.
>
> Watching the packets arriving from ocsp.digicert.com via Wireshark, I see
> the OCSP response saying that the certificate is revoked (so, Nginx seems
> to be querying the OCSP server fine?), and I also see this in Nginx's error
> log:
>
> 2014/04/07 17:44:41 [error] 27005#0: certificate status "revoked" in the
> OCSP response while requesting certificate status, responder:
> ocsp.digicert.com
>
> Yet, the OpenSSL s_client, even after multiple attempts (so the cache
> should be "warm"), returns that no OCSP response was returned from the
> server...
>
> Naturally, I would expect the response to be proxied by Nginx back to the
> client.
>
> What am I missing / doing wrong? :)

As long as no good OCSP response is received, nginx will not
staple anything as it doesn't make sense (moreover, it may be
harmful, e.g. if the response isn't verified).

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Issue with OCSP stapling when server certificate has been revoked by CA	shimi	April 13, 2014 04:30AM
Re: Issue with OCSP stapling when server certificate has been revoked by CA	Maxim Dounin	April 13, 2014 06:40AM
Re: Issue with OCSP stapling when server certificate has been revoked by CA	shimi	April 13, 2014 06:58AM
Re: Issue with OCSP stapling when server certificate has been revoked by CA	Maxim Dounin	April 13, 2014 11:12AM
Re: Issue with OCSP stapling when server certificate has been revoked by CA	shimi	April 13, 2014 12:02PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 237

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018