Hello!

On Sat, Sep 03, 2016 at 09:09:19AM -0400, mastercan wrote:

> When using 2 certificates, 1 RSA (using AlphaSSL) and 1 ECDSA (using Lets
> Encrypt), and I try to connect via RSA SSL connection, nginx throws this
> error:
>
> "OCSP response not successful (6: unauthorized) while requesting certificate
> status, responder: ocsp.int-x3.letsencrypt.org"
>
> So it is using the wrong responder.
>
> Following build (custom compiled):
> Nginx 1.11.3
> Openssl 1.1.0
>
> AFAIK OpenSSL 1.1.0 should support multiple certificate chains. I don't
> quite understand why OCSP then is not working right?

It looks like there is a bug which prevents nginx from using
different OCSP reponders when using OCSP stapling with multiple
certificates. It uses the responder from the last certificate in
the server{} block for all OCSP requests.

Please try the following patch:

# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1473367064 -10800
# Thu Sep 08 23:37:44 2016 +0300
# Node ID 2037cc64cdceb5b8cb36103cdd9d00e05b8e7ec3
# Parent 4a16fceea03bde6653e05d337e87907f085535b3
OCSP stapling: fixed using wrong responder with multiple certs.

diff --git a/src/event/ngx_event_openssl_stapling.c
b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -376,6 +376,7 @@ ngx_ssl_stapling_responder(ngx_conf_t *c
{
ngx_url_t u;
char *s;
+ ngx_str_t rsp;
STACK_OF(OPENSSL_STRING) *aia;

if (responder->len == 0) {
@@ -403,6 +404,8 @@ ngx_ssl_stapling_responder(ngx_conf_t *c
return NGX_DECLINED;
}

+ responder = &rsp;
+
responder->len = ngx_strlen(s);
responder->data = ngx_palloc(cf->pool, responder->len);
if (responder->data == NULL) {

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx