Welcome! Log In Create A New Profile

Advanced

Re: How to enable OCSP stapling when default server is self-signed?

May 11, 2015 10:31AM
173279834462 Wrote:
-------------------------------------------------------
> > Note that this isn't really indicate anything: there are two forms
> of OCSP requests, POST and GET. And Firefox uses POST, while nginx
> uses GET. Given the fact that the responder was completely broken just
> a few days ago - it's quite possible that it's still broken for GETs
> in some cases.
>
> To comply with local security policy, we disabled POST globally on all
> public-facing servers.
> This has the advantage of killing web 2.0 and all of its
> vulnerabilities with one simple rule, emphasis on *killing web 2.0*.
> Yes, the sites are read-only, and we just love it that way.
>
> For each vhost,
> "ssl_certificate_key" includes the vhost's private key,
> "ssl_certificate" includes the vhosts's public key (leaf) AND the
> intermediate key of the Issuer,
> "ssl_trusted_certificate" includes the certificate chain in full (leaf
> + intermediate + root CA),
> all in PEM format.
>
> The openssl test works as expected:
>
> vhost="<your-domain-here>"; echo Q | openssl s_client -CAfile
> /path/to/your/local/trust/store/ca-bundle.pem -tls1 -tlsextdebug
> -status -connect $vhost:443 -servername $vhost 2>&1 | less
>
> There are two problems.
>
> problem 1
> -------------
>
> nginx's "ssl_certificate" (note the singular) is truly a bundle of the
> certificate and the intermediate.
> In fact, if we remove the intermediate, we break the chain.
>
> The description for "ssl_certificate" is also misleading.
>
> "Specifies a file with the certificate in the PEM format for the given
> virtual server. If intermediate certificates should be specified in
> addition to a primary certificate, they should be specified in the
> same file in the following order: the primary certificate comes first,
> then the intermediate certificates. A secret key in the PEM format may
> be placed in the same file. "
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
>
>
> Although the above sentence "If intermediate certificates should be
> specified" suggests that one may omit the intermediate certificate, in
> reality you can only do this if you are the CA. I do not wish to sound
> opinionated here, because I am making an effort to stick to the facts:
> if we remove the intermediate, we do break the chain and the openssl
> test complains loudly.
>
> Therefore, if your own facts correspond to the above, then the
> solution is to edit nginx's source to limit "ssl_certificate" to the
> leaf's public key only, and correct the description accordingly. The
> intermediate(s) can be bundled in a separate file.
>
> It would be easier on the eyes to re-write the keywords as well:
>
> ssl_certificate_key -----> private_certificate
> ssl_certificate 1/2 ------> public_certificate
> ssl_certificate 2/2 -------> public_intermediate_certificates
> ssl_trusted_certificate -> public_ca_certificate
>
> In so doing, the configuration would finally be unambiguous.
>
> problem 2
> --------------
>
> If it is true that FF uses POST to *read*, by default, then this
> explains the original problem with OCSP, and the fact that nginx is
> well configured and openssl and other browsers do work as expected.
> Google and other search engines show that Firefox has been affected by
> this OCSP problem for a long time. Perhaps they could start using GET
> like everybody else?


Umm...please don't hijack threads. Your issue(s) are not related to the main thread and are even partially off-topic for nginx. Hijacking threads is distracting for those who run threaded clients.

My issue regarding OCSP stapling still remains unresolved.
Subject Author Posted

How to enable OCSP stapling when default server is self-signed?

bughunter April 05, 2015 11:26PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 06, 2015 03:22PM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 07, 2015 12:26AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 07, 2015 09:24AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 08, 2015 02:30AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 08, 2015 11:30AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 01, 2015 11:06PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 11:54AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 11, 2015 10:31AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 07, 2015 01:12PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 02:28PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 08, 2015 08:48AM

Re: How to enable OCSP stapling when default server is self-signed?

numroo April 12, 2015 12:21PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 13, 2015 07:58AM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 28, 2016 12:44PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin September 28, 2016 05:16PM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 29, 2016 09:17AM

Re: How to enable OCSP stapling when default server is self-signed?

B.R. September 29, 2016 01:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 74
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 254 on July 05, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready