Hello guys,


I enabled OCSP Must-Staple, then I found that after restarting nginx, I
always get "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING" error when
visiting my website for the first time.

I think this error means that the server is not caching OCSP information.

My nginx.conf is as follows:

    server {
        listen   443 ssl http2 reuseport;
        listen   [::]:443 ssl http2;
        server_name  example.org;

        ssl_certificate      /path/to/ecc/fullchain.cer;
        ssl_certificate_key  /path/to/ecc/example.org.key;

        ssl_certificate      /path/to/rsa/fullchain.cer;
        ssl_certificate_key  /path/to/rsa/example.org.key;

        ssl_stapling         on;
        resolver             <internal dns1> <internal dns2> valid=300s;
        ssl_stapling_verify  on;

        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  1d;

        ssl_protocols        TLSv1.2 TLSv1.3;
        ssl_ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;
        ssl_ecdh_curve       secp384r1;

        ssl_early_data       on;

        …

   }


Since I have ECC and RSA dual certificates configured and they are
intact. Therefore I did not configure "ssl_trusted_certificate".

Do I need to configure other parameters like "ssl_ocsp" to solve the
problem I'm having now?


Also I found a small issue, I noticed that the latest version of Google
Chrome/Microsoft Edge will choose to get RSA certificate instead of ECC
certificate.

  RSA 4096 R3

  ECC 384 E1

  Issuer Let's Encrypt

I wonder why Chromium made this choice. Thank you!


Best Regards,

wordlesswind

_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org