173279834462 Wrote:
-------------------------------------------------------
> > Note that this isn't really indicate anything: there are two forms
> of OCSP requests, POST and GET. And Firefox uses POST, while nginx
> uses GET. Given the fact that the responder was completely broken just
> a few days ago - it's quite possible that it's still broken for GETs
> in some cases.
>
> To comply with local security policy, we disabled POST globally on all
> public-facing servers.
> This has the advantage of killing web 2.0 and all of its
> vulnerabilities with one simple rule, emphasis on *killing web 2.0*.
> Yes, the sites are read-only, and we just love it that way.
>
> For each vhost,
> "ssl_certificate_key" includes the vhost's private key,
> "ssl_certificate" includes the vhosts's public key (leaf) AND the
> intermediate key of the Issuer,
> "ssl_trusted_certificate" includes the certificate chain in full (leaf
> + intermediate + root CA),
> all in PEM format.
>
> The openssl test works as expected:
>
> vhost="<your-domain-here>"; echo Q | openssl s_client -CAfile
> /path/to/your/local/trust/store/ca-bundle.pem -tls1 -tlsextdebug
> -status -connect $vhost:443 -servername $vhost 2>&1 | less
>
> There are two problems.
>
> problem 1
> -------------
>
> nginx's "ssl_certificate" (note the singular) is truly a bundle of the
> certificate and the intermediate.
> In fact, if we remove the intermediate, we break the chain.
>
> The description for "ssl_certificate" is also misleading.
>
> "Specifies a file with the certificate in the PEM format for the given
> virtual server. If intermediate certificates should be specified in
> addition to a primary certificate, they should be specified in the
> same file in the following order: the primary certificate comes first,
> then the intermediate certificates. A secret key in the PEM format may
> be placed in the same file. "
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
>
>
> Although the above sentence "If intermediate certificates should be
> specified" suggests that one may omit the intermediate certificate, in
> reality you can only do this if you are the CA. I do not wish to sound
> opinionated here, because I am making an effort to stick to the facts:
> if we remove the intermediate, we do break the chain and the openssl
> test complains loudly.
>
> Therefore, if your own facts correspond to the above, then the
> solution is to edit nginx's source to limit "ssl_certificate" to the
> leaf's public key only, and correct the description accordingly. The
> intermediate(s) can be bundled in a separate file.
>
> It would be easier on the eyes to re-write the keywords as well:
>
> ssl_certificate_key -----> private_certificate
> ssl_certificate 1/2 ------> public_certificate
> ssl_certificate 2/2 -------> public_intermediate_certificates
> ssl_trusted_certificate -> public_ca_certificate
>
> In so doing, the configuration would finally be unambiguous.
>
> problem 2
> --------------
>
> If it is true that FF uses POST to *read*, by default, then this
> explains the original problem with OCSP, and the fact that nginx is
> well configured and openssl and other browsers do work as expected.
> Google and other search engines show that Firefox has been affected by
> this OCSP problem for a long time. Perhaps they could start using GET
> like everybody else?
Umm...please don't hijack threads. Your issue(s) are not related to the main thread and are even partially off-topic for nginx. Hijacking threads is distracting for those who run threaded clients.
My issue regarding OCSP stapling still remains unresolved.
