Welcome! Log In Create A New Profile

Advanced

Re: How often ssl_stapling_file picks up an updated file?

Previous Message Next Message
Forum List Message List New Topic Print View
B.R.
April 05, 2015 03:18PM
If nginx manages those files like the others (like logs), it (re)opens them
on reload/restart.
You might tweak your updating script to also send a HUP signal to nginx. It
would be recommanded to check the error log on reload, as errors (if any)
will appear there.

You might also simply use the ssl_stapling
<http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling>
directive, with which nginx will manage the cache of the received OCSP
answer in memory by itself.
Why are not you using this method?
---
*B. R.*

On Sun, Apr 5, 2015 at 3:25 PM, nanochelandro <nginx-forum@nginx.us> wrote:

> Hey all.
> Before I file a bugreport I'd like to consult with community to make sure
> whether I get the whole thing right.
>
> I use ssl_stapling_file and update that file daily.
> Today I discovered that one of my SSL websites returns outdated OCSP
> response, not the one which is in the OCSP stapling file:
>
> > openssl s_client -connect xxxx:443 -tls1 -tlsextdebug -status
> ...
> Cert Status: good
> This Update: Mar 26 06:05:34 2015 GMT
> Next Update: Mar 28 06:05:34 2015 GMT
>
> Today is April 5. I checked OCSP file, it's fresh (April 4), has correct
> permissions, readable by nginx, etc.
> Then I reloaded nginx (HUP) and boom:
>
> > openssl s_client -connect xxxx:443 -tls1 -tlsextdebug -status
> ...
> Cert Status: good
> This Update: Apr 4 04:19:53 2015 GMT
> Next Update: Apr 6 04:19:53 2015 GMT
>
>
> I run a dozen of SSL websites with ssl_stapling_file but never had to HUP
> nginx to pick up an updated file (or at least I never noticed the issue
> (even in FireFox which is very picky regarding OCSP)).
>
> Is that a bug (1.7.11) or did I do it wrong all the time? :)
>
> Thanks.
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,257831,257831#msg-257831
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

How often ssl_stapling_file picks up an updated file?

nanochelandro April 05, 2015 09:25AM

Re: How often ssl_stapling_file picks up an updated file?

B.R. April 05, 2015 03:18PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 112
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready