Welcome! Log In Create A New Profile

Advanced

Re: How to enable OCSP stapling when default server is self-signed?

April 07, 2015 12:26AM
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Sun, Apr 05, 2015 at 11:26:19PM -0400, bughunter wrote:
>
> > My web server is intentionally set up to only support virtual hosts
> and TLS
> > SNI. I know that the latter eliminates some ancient web browsers
> but I
> > don't care about those browsers.
> >
> > I want to enable OCSP stapling and it seems to be configured
> correctly in my
> > test vhost (everything else about SSL already works fine - I get an
> A on the
> > Qualys SSL Labs test) and there are no errors or warnings but
> "openssl
> > s_client" always returns:
> >
> > "OCSP response: no response sent"
> >
> > Yes, I ran the s_client command multiple times to account for the
> nginx
> > responder delay. I was testing OCSP stapling on just one of my
> domains.
> > Then I read that the 'default_server' SSL server also has to have
> OCSP
> > stapling enabled for vhost OCSP stapling to work:
> >
> > https://gist.github.com/konklone/6532544
>
> There is no such a requirement.
>
> > This is a huge problem if I want to enable OCSP for my vhosts
> because my
> > 'default_server' certificate is self-signed (intentional) and
> running
> > 'configtest' with 'ssl_stapling' options on the default server, of
> course,
> > results in a warning:
> >
> > "nginx: [warn] "ssl_stapling" ignored, issuer certificate not found"
> >
> > Which indicates that it isn't enabled on the default server and
> subsequent
> > s_client tests (after reloading the config, which, of course, issued
> the
> > same warning a second time) on the test vhost confirm that there was
> still
> > no OCSP stapling. It was a long-shot in the first place.
>
> This warning indicates that you've tried to enable OCSP Stapling
> for a server with a certificate whose issuer certificate cannot be
> found, therefore the "ssl_stapling" directive was ignored for the
> server. To avoid seeing the warning on each start, consider
> switching off ssl_stapling for the server{} block in question.

As I explained, I enabled it as a long-shot. I was expecting to get a warning and I did. I have, of course, disabled it for the default server section.


> > So how do I enable OCSP stapling for my vhosts when the default
> server cert
> > is self-signed? This seems like a potential bug in the nginx SSL
> module.
>
> Just enable ssl_stapling in appropriate server{} blocks.

As far as I can tell, I'm already doing that:

http://pastebin.com/Ymb5hxDP
Subject Author Posted

How to enable OCSP stapling when default server is self-signed?

bughunter April 05, 2015 11:26PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 06, 2015 03:22PM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 07, 2015 12:26AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 07, 2015 09:24AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 08, 2015 02:30AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 08, 2015 11:30AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 01, 2015 11:06PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 11:54AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 11, 2015 10:31AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 07, 2015 01:12PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 02:28PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 08, 2015 08:48AM

Re: How to enable OCSP stapling when default server is self-signed?

numroo April 12, 2015 12:21PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 13, 2015 07:58AM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 28, 2016 12:44PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin September 28, 2016 05:16PM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 29, 2016 09:17AM

Re: How to enable OCSP stapling when default server is self-signed?

B.R. September 29, 2016 01:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 110
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready