Welcome! Log In Create A New Profile

Advanced

OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

December 04, 2015 05:40PM
Hello,

OCSP is not working on my raspberrypi2 with nginx 1.9.7 and OpenSSL 1.0.2e. I have compiled both together.

tail /var/log/nginx/error.log

2015/12/04 22:28:21 [error] 14841#0: OCSP response not successful (1: malformedrequest) while requesting certificate status, responder: ocsp.startssl.com
2015/12/04 22:28:29 [error] 14841#0: OCSP response not successful (1: malformedrequest) while requesting certificate status, responder: ocsp.startssl.com
2015/12/04 22:28:30 [error] 14842#0: OCSP response not successful (1: malformedrequest) while requesting certificate status, responder: ocsp.startssl.com

Got the ca-bundle.pem from https://www.startssl.com/certs/?C=S;O=D

/etc/nginx/sites-enabled $ cat default
....
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/my_ssl_certs/ca-bundle.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
.....

OCSP is not working after checks with sslabs and openssl e.g.

echo QUIT | openssl s_client -connect www.mydomain.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'


According to https://www.ietf.org/rfc/rfc2560.txt the errors says:
....
OCSPResponseStatus ::= ENUMERATED {
malformedRequest (1), --Illegal confirmation request
....

My StartSSL certificates are SHA2 (https://www.startssl.com/certs/class1/sha2/pem/)


In /etc/nginx/sites-enabled/ I have more than one config / domain configured. But it does not matter wether I only configure OCSP in every single file or just default.

I only found a Bug message here: " OpenSSL OCSP Bad Request" (http://jfcarter.net/~jimc/documents/bugfix/21-openssl-ocsp.html) saying you have to add: -header "HOST" "ocsp.startssl.com"


My options for compiling openssl & nginx have been

./config --prefix=$STATICLIBSSL no-ssl2 no-ssl3 no-shared \
&& make depend \
&& make \
&& make install_sw


./configure --with-cc-opt="-I $STATICLIBSSL/include -I/usr/include" \
--with-ld-opt="-L $STATICLIBSSL/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-pcre=$BPATH/$VERSION_PCRE \
--with-http_ssl_module \
--with-http_v2_module \
--with-file-aio \
--with-ipv6 \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
&& make && make install


Any ideas ?

Thanks in advance,
Alexander
Subject Author Posted

OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

agruener December 04, 2015 05:40PM

Re: OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

Maxim Dounin December 04, 2015 10:34PM

Re: OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

agruener December 05, 2015 04:20AM

Re: OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

Maxim Dounin December 06, 2015 09:00PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 69
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready