Welcome! Log In Create A New Profile

Advanced

OCSP checks fail only on 1st site hit; OK afterwards ?

PGNet Dev
November 09, 2022 01:58PM
i run nginx/1.23.2 on linux

after a clear reboot, on first access to my site front page, I see in log

==> /var/log/nginx/example.com.443.error.log <==
2022/11/09 12:38:15 [info] 1460#1460: *2 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 2601:...:xxx1, server: [2600:...:xxx6]:443

if I immediately just reload the page in browser, no more problem; the page renders ok, SSL check out, all site nav is fine

subsequent hits to the front page are also OK

i use include letsencrypt certs.

digging around, i found this from 2013

Can't get OCSP stapling to work, despite openssl working fine
https://success.qualys.com/discussions/s/question/0D52L00004TnuFdSAJ/cant-get-ocsp-stapling-to-work-despite-openssl-working-fine

my config includes,

ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_responder http://r3.o.lencr.org/;
server {
ssl_trusted_certificate ...;
}

checking, after cold reboot, 1st connect returns an OCSP missing response

echo | openssl s_client -connect example.com:443 -servername example.com -tls1_3 -tlsextdebug -status
CONNECTED(00000003)
...
depth=0 CN = example.com
verify return:1
!! OCSP response: no response sent
...
---
SSL handshake has read 4384 bytes and written 318 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

but an immediately subsequent 2nd try returns a response

echo | openssl s_client -connect example.com:443 -servername example.com -tls1_3 -tlsextdebug -status
CONNECTED(00000003)
...
verify return:1
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = R3
Produced At: Nov 9 17:09:00 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 48D...3D1
Issuer Key Hash: 142...2BC
Serial Number: 022...84E
Cert Status: good
This Update: Nov 9 17:00:00 2022 GMT
Next Update: Nov 16 16:59:58 2022 GMT

Signature Algorithm: sha256WithRSAEncryption
Signature Value:
09:...:cf
======================================
...
---
SSL handshake has read 4894 bytes and written 318 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE


so far, this^^ is 100% reproducible for me; always/only on first load after boot

this 'feels' like a timeout before OCSP is cached, and no issues after.
not sure

reading up at

https://nginx.org/en/docs/http/ngx_http_ssl_module.html

i see

ssl_stapling_responder

"Overrides the URL of the OCSP responder specified in the “Authority Information Access” certificate extension."

which i use, but also

ssl_ocsp_responder

"Overrides the URL of the OCSP responder specified in the “Authority Information Access” certificate extension for validation of client certificates. "

which I don't currently.

what's the difference in function/usage between those two?

As far as caching, I also see

ssl_ocsp_cache

which i haven't defined, so it's at default

ssl_ocsp_cache off

any clues as to what's missing/misconfig'd and responsible for the 1st-time-only fails I see?

_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org
Subject Author Posted

OCSP checks fail only on 1st site hit; OK afterwards ?

PGNet Dev November 09, 2022 01:58PM

Re: OCSP checks fail only on 1st site hit; OK afterwards ?

PGNet Dev November 09, 2022 04:36PM

Re: OCSP checks fail only on 1st site hit; OK afterwards ?

PGNet Dev November 09, 2022 05:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 82
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready