Welcome! Log In Create A New Profile

Advanced

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin
September 23, 2015 08:34AM
Hello!

On Tue, Sep 22, 2015 at 05:21:27PM -0400, 173279834462 wrote:

> The purpose of the ssl_stapling_file was to prime the cache. Without that
> file, openssl says "OCSP response: no response sent". For nginx to load the
> cache by itself, clients have to hit the same worker process a few times. I
> currently have 8 worker processes, which means that the server needs at
> least 8 simultaneous client who are knowledgeable and patient enough to hit
> the server a few times, purging the cache of their browser each time. This
> does not work seem to work all the times, however. I have a www to non-www
> redirection with stapling enabled on both. Hitting www does not fill the
> cache, and I keep seeing "OCSP response: no response sent". Am I missing
> something?

Yes. Two basic points:

- The ssl_stapling_file directive completely replaces nginx OCSP
stapling logic, and it can't be used to only provide some
"initial" OCSP response; it is to be used when you want to
implement your own OCSP distribution logic (e.g., on a server
without direct access to OCSP responder), and/or for debugging.

- OCSP responses are loaded once nginx sees connections with
Certificate Status Request TLS extension, i.e., a client asks
nginx to provide stapled OCSP response (and this happens
per-worker). Though not providing an OCSP response isn't a
problem at all as OCSP stapling is just an optimization, and
there is no need to care about pre-caching things. As long as there
are clients who ask your server about an OCSP response - nginx
will load it and will provide it to clients as needed.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

There is a newer OCSP response but was not provided by the server

173279834462 September 22, 2015 05:33AM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 22, 2015 09:02AM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 22, 2015 05:21PM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 23, 2015 08:34AM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 09:42AM

Re: There is a newer OCSP response but was not provided by the server

itpp2012 September 23, 2015 11:29AM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 23, 2015 10:50AM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 11:39AM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 23, 2015 12:18PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 12:53PM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 23, 2015 01:22PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 01:33PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 01:35PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 01:39PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 01:41PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 02:22PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 68
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready