Welcome! Log In Create A New Profile

Advanced

Re: How to enable OCSP stapling when default server is self-signed?

May 07, 2015 02:28PM
> This depends on how your certificate is issued. If your certificate is issued directly by root CA certificate, then you don't need any extra certs here. If there are some intermediate certs, then you'll have to put them also.
> When this directive was introduced, almost all certificates were issued directly by roots. No in most cases intermediate certificates are additionally required. Either way, this doesn't actually change things: think of it as "SSL certificate and certificate chain" if you want some better mnemonic.

The fact remains that "ssl_certificate" is singular, and its description is less than clear.
So, thank you for the explanation, because it completes the original description.

Certificate chains are way longer than 2 (leaf + ca) nowadays. CRL checks can encompass 20+ nodes.
It is for this reason, the lenght of the chain, that I still remain of the opinion that "ssl_certificate" ought to
be limited to the leaf's own public certificate. The intermediates ought to be bundled on a separate file.

Labels...

ssl_certificate_key -----> ssl_private_certificate[...cough...]_key
ssl_certificate 1/2 ------> ssl_public_certificate
ssl_certificate 2/2 -------> ssl_public_intermediate_certificates
ssl_trusted_certificate -> ssl_public_ca_certificate

I hate the first two, and definitely prefer the original.
The third could simply be "ssl_intermediates", and the fourth "ssl_ca".
Whatever, I think they will stay as they are anyway.

> security.OCSP.GET.enabled is set to "false" by default

In my FF it set to "false" too, and flipping it does not make any difference,
so my local problem is neither with GET nor with POST.

It turns out that the problem is "security.ssl.enable_ocsp_stapling", which is
"true" by default. If I disable it, then FF loads the web sites. If I re-enable it,
then FF complains again:

> Secure Connection Failed
> An error occurred during a connection to madreacqua.org.
> Invalid OCSP signing certificate in OCSP response.
> (Error code: sec_error_ocsp_invalid_signing_cert)
>
> The page you are trying to view cannot be shown because the authenticity
> of the received data could not be verified.
> Please contact the website owners to inform them of this problem.

If FF is correct, then nginx is returning a bad certificate, and we are back to square one.

Is it the bundle of certificates? No, because I have verified the chain from nginx,
both by hand and automatically with openssl and libressl.

It is GET instead of POST again? No, it is not, because FF "fails" in both cases.
Subject Author Posted

How to enable OCSP stapling when default server is self-signed?

bughunter April 05, 2015 11:26PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 06, 2015 03:22PM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 07, 2015 12:26AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 07, 2015 09:24AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 08, 2015 02:30AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 08, 2015 11:30AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 01, 2015 11:06PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 11:54AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 11, 2015 10:31AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 07, 2015 01:12PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 02:28PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 08, 2015 08:48AM

Re: How to enable OCSP stapling when default server is self-signed?

numroo April 12, 2015 12:21PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 13, 2015 07:58AM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 28, 2016 12:44PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin September 28, 2016 05:16PM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 29, 2016 09:17AM

Re: How to enable OCSP stapling when default server is self-signed?

B.R. September 29, 2016 01:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 102
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready