Previous Message Next Message
Forum List Message List New Topic Print View
PGNet Dev
November 09, 2022 04:36PM
an old, 2015 post from Caddy Webserver's author,

OCSP Stapling Robustness in Apache and nginx
https://gist.github.com/mholt/3b4910c802b2ed7e92294e26a1ae8551

comments,

"...
nginx's logic is a lot more robust than Apache's in this regard. Good OCSP responses are cached for an hour, but are not replaced until a successful new response has been received, meaning nginx can weather temporary OCSP responder outages. Unfortunately, nginx's logic is drastically worse in a different way: nginx kicks off OCSP queries on-demand, during the TLS handshake, but continues the handshake without waiting for the OCSP response to return. And since the OCSP response caches are unique per worker process, the first TLS connection handled by any given worker process never has a response stapled! (By the way, this makes testing whether you've properly enabled OCSP stapling rather annoying and confusing if you don't know about this.) This behavior also means that if a worker process sites idle for a long time, it doesn't refresh its OCSP responses and could staple an expired OCSP response on the next request it handles. [Update: the expired response issue is fixed in nginx 1.9.2. Now, if the cached OCSP response is expired, no response at all is stapled. A query to the OCSP responder is still initiated in the background, so subsequent handshakes should have a fresh stapled response.]
..."

that suggests an 'updated' (back then, as of v >= 1.9.2) behavior of no OCSP response on 1st try, but a background-queried-and-cached ok response subsequently.

which, sounds like what i'm seeing.


> i run nginx/1.23.2 on linux
>
> after a clear reboot, on first access to my site front page, I see in log
>
>     ==> /var/log/nginx/example.com.443.error.log <==
>     2022/11/09 12:38:15 [info] 1460#1460: *2 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 2601:...:xxx1, server: [2600:...:xxx6]:443
>
> if I immediately just reload the page in browser, no more problem; the page renders ok, SSL check out, all site nav is fine
>
> subsequent hits to the front page are also OK
...

is that (still?) the current mode of operation in nginx's ocsp logic ?


_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org
Reply Quote
RSS
Subject Author Posted

OCSP checks fail only on 1st site hit; OK afterwards ?

PGNet Dev November 09, 2022 01:58PM

Re: OCSP checks fail only on 1st site hit; OK afterwards ?

PGNet Dev November 09, 2022 04:36PM

Re: OCSP checks fail only on 1st site hit; OK afterwards ?

PGNet Dev November 09, 2022 05:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 256
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready