Hello!

On Tue, Sep 22, 2015 at 05:21:27PM -0400, 173279834462 wrote:

> The purpose of the ssl_stapling_file was to prime the cache. Without that
> file, openssl says "OCSP response: no response sent". For nginx to load the
> cache by itself, clients have to hit the same worker process a few times. I
> currently have 8 worker processes, which means that the server needs at
> least 8 simultaneous client who are knowledgeable and patient enough to hit
> the server a few times, purging the cache of their browser each time. This
> does not work seem to work all the times, however. I have a www to non-www
> redirection with stapling enabled on both. Hitting www does not fill the
> cache, and I keep seeing "OCSP response: no response sent". Am I missing
> something?

Yes. Two basic points:

- The ssl_stapling_file directive completely replaces nginx OCSP
stapling logic, and it can't be used to only provide some
"initial" OCSP response; it is to be used when you want to
implement your own OCSP distribution logic (e.g., on a server
without direct access to OCSP responder), and/or for debugging.

- OCSP responses are loaded once nginx sees connections with
Certificate Status Request TLS extension, i.e., a client asks
nginx to provide stapled OCSP response (and this happens
per-worker). Though not providing an OCSP response isn't a
problem at all as OCSP stapling is just an optimization, and
there is no need to care about pre-caching things. As long as there
are clients who ask your server about an OCSP response - nginx
will load it and will provide it to clients as needed.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx