Welcome! Log In Create A New Profile

Advanced

Re: How to enable OCSP stapling when default server is self-signed?

September 29, 2016 09:17AM
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Wed, Sep 28, 2016 at 12:44:45PM -0400, hotwirez wrote:
>
> [...]
>
> > I wanted to mention that I've run into this issue as well when
> trying to
> > enable OCSP stapling, where I have a default_deny SSL server that
> has a
> > self-signed certificate where I don't want to use OCSP stapling, and
> other
> > actual server entries for actual sites where I want OCSP stapling
> enabled.
> > If I enable stapling for only the real sites, it appears to be
> silently
> > disabled. If I enable it for all server instances, it notices that
> the
> > default server uses a self-signed certificate and disables stapling.
> If I
> > remove the default server, OCSP stapling works for the remaining
> sites, but
> > then accessing the site using a means other than the correct server
> name
> > provides the SSL certificate for one of the servers.
>
> Problems with OCSP stapling if it is disabled in the default
> server{} block were traced to be an OpenSSL bug, silently fixed in
> 1.0.0m/1.0.1g/1.0.2. See here for details:
>
> https://trac.nginx.org/nginx/ticket/810
>
> If you see the problem it means you have to update the OpenSSL
> library you are using.
>
Thank you; it's great you tracked that down! I am on OpenSSL 1.0.1f and Nginx 1.4.6; (Ubuntu 14.04 via apt), so that makes sense. I'll upgrade.

Thanks again!
Subject Author Posted

How to enable OCSP stapling when default server is self-signed?

bughunter April 05, 2015 11:26PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 06, 2015 03:22PM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 07, 2015 12:26AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 07, 2015 09:24AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 08, 2015 02:30AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 08, 2015 11:30AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 01, 2015 11:06PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 11:54AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 11, 2015 10:31AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 07, 2015 01:12PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 02:28PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 08, 2015 08:48AM

Re: How to enable OCSP stapling when default server is self-signed?

numroo April 12, 2015 12:21PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 13, 2015 07:58AM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 28, 2016 12:44PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin September 28, 2016 05:16PM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 29, 2016 09:17AM

Re: How to enable OCSP stapling when default server is self-signed?

B.R. September 29, 2016 01:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 67
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready