Welcome! Log In Create A New Profile

Advanced

Re: How to enable OCSP stapling when default server is self-signed?

B.R.
September 29, 2016 01:02PM
Considering your rather old version of nginx coming from Ubuntu packages, I
suggest you use the lastest stable, officially available on nginx.org
<https://nginx.org/en/linux_packages.html#stable>.

Not related to your issue, but should not hurt (except with regressions ofc
;) ).
---
*B. R.*

On Thu, Sep 29, 2016 at 3:17 PM, hotwirez <nginx-forum@forum.nginx.org>
wrote:

> Maxim Dounin Wrote:
> -------------------------------------------------------
> > Hello!
> >
> > On Wed, Sep 28, 2016 at 12:44:45PM -0400, hotwirez wrote:
> >
> > [...]
> >
> > > I wanted to mention that I've run into this issue as well when
> > trying to
> > > enable OCSP stapling, where I have a default_deny SSL server that
> > has a
> > > self-signed certificate where I don't want to use OCSP stapling, and
> > other
> > > actual server entries for actual sites where I want OCSP stapling
> > enabled.
> > > If I enable stapling for only the real sites, it appears to be
> > silently
> > > disabled. If I enable it for all server instances, it notices that
> > the
> > > default server uses a self-signed certificate and disables stapling.
> > If I
> > > remove the default server, OCSP stapling works for the remaining
> > sites, but
> > > then accessing the site using a means other than the correct server
> > name
> > > provides the SSL certificate for one of the servers.
> >
> > Problems with OCSP stapling if it is disabled in the default
> > server{} block were traced to be an OpenSSL bug, silently fixed in
> > 1.0.0m/1.0.1g/1.0.2. See here for details:
> >
> > https://trac.nginx.org/nginx/ticket/810
> >
> > If you see the problem it means you have to update the OpenSSL
> > library you are using.
> >
> Thank you; it's great you tracked that down! I am on OpenSSL 1.0.1f and
> Nginx 1.4.6; (Ubuntu 14.04 via apt), so that makes sense. I'll upgrade.
>
> Thanks again!
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,257833,269955#msg-269955
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

How to enable OCSP stapling when default server is self-signed?

bughunter April 05, 2015 11:26PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 06, 2015 03:22PM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 07, 2015 12:26AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 07, 2015 09:24AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 08, 2015 02:30AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 08, 2015 11:30AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 01, 2015 11:06PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 11:54AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 11, 2015 10:31AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 07, 2015 01:12PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 02:28PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 08, 2015 08:48AM

Re: How to enable OCSP stapling when default server is self-signed?

numroo April 12, 2015 12:21PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 13, 2015 07:58AM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 28, 2016 12:44PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin September 28, 2016 05:16PM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 29, 2016 09:17AM

Re: How to enable OCSP stapling when default server is self-signed?

B.R. September 29, 2016 01:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 76
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready