Welcome! Log In Create A New Profile

Advanced

Re: OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

Maxim Dounin
December 06, 2015 09:00PM
Hello!

On Sat, Dec 05, 2015 at 04:20:32AM -0500, agruener wrote:

> Dear Maxim,
>
> thanks for your ideas.
>
> I think I have not fully understand this matter, yet ;-)
>
> - check if OCSP requests from other clients (e.g., browsers) work;
> note that openssl's OCSP client will likely fail out of the box;
>
> ---> it does not work with openssl on Ubuntu 14.04 LTS (OpenSSL 1.0.1f 6 Jan
> 2014), openssl on raspberrypi2 (OpenSSL 1.0.2e) and Qualsys ssllabs
> (https://www.ssllabs.com/ssltest/). I do not get any errors on the other
> hand in Firefox or Chrome on Windows / Ubuntu / Android browsing to my
> websites. But I do not know how to do the same OCSP tests with my browsers.

It looks like you've mistaken OCSP requests and OCSP stapling.
You have to test OCSP requests from other clients, not if OCSP
stapling is provided by your server.

Note well that Browsers are not expected to show any errors if
OCSP requests fail, and not all browsers will use OCSP by default
or at all. You have to dump traffic between the browser and the
OCSP responder to see what happens.

[...]

> - try tcpdump'ing traffic between nginx and the OCSP responder to see what
> happens on the wire.
>
> --> I have done it. It is showing some communication when I do the test with
> openssl, e.g.
>
> echo QUIT | openssl s_client -connect www.mydomain.com:443 -status 2>
> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
>
>
> Pcap extraction show communication:
> ....
> .
> StartCom Ltd.1+0)..U..."Secure Digital Certificate
> Signing1806..U.../StartCom Class 1 Primary Intermediate Server CA0..
> 151011024455Z....

This seems to be traffic between openssl and nginx. You have to
dump traffic between nginx and the OCSP responder
(ocsp.startssl.com) to see OCSP requests from nginx and responses
with errors.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

agruener December 04, 2015 05:40PM

Re: OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

Maxim Dounin December 04, 2015 10:34PM

Re: OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

agruener December 05, 2015 04:20AM

Re: OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

Maxim Dounin December 06, 2015 09:00PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 356
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready