Welcome! Log In Create A New Profile

Re: OSCP неавторизованный запрос

Forum List Message List New Topic Print View

Maxim Dounin

April 10, 2014 07:58AM

Hello!

On Thu, Apr 10, 2014 at 07:42:23AM +0100, Anatoly Mikhailov wrote:

> Наблюдаю следующую строку в error.log с дефолтным уровнем логирования:
>
> OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.comodoca.com
>
> Окружение: Nginx 1.5.13, настройки ssl/tls следующие:
> ssl_session_timeout 15m;
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> ssl_prefer_server_ciphers on;
> ssl_session_cache shared:SSL:10m;
> ssl_stapling on;

Вероятно, OCSP-респондер хотел сказать, что он не располагает
достаточной информацией и не может сказать, валиден он или нет,
http://tools.ietf.org/html/rfc5019#section-2.2.3:

As long as the OCSP infrastructure has authoritative records for a
particular certificate, an OCSPResponseStatus of "successful" will be
returned. When access to authoritative records for a particular
certificate is not available, the responder MUST return an
OCSPResponseStatus of "unauthorized". As such, this profile extends
the RFC 2560 [OCSP] definition of "unauthorized" as follows:

The response "unauthorized" is returned in cases where the client
is not authorized to make this query to this server or the server
is not capable of responding authoritatively.

For example, OCSP responders that do not have access to authoritative
records for a requested certificate, such as those that generate and
distribute OCSP responses in advance and thus do not have the ability
to properly respond with a signed "successful" yet "unknown"
response, will respond with an OCSPResponseStatus of "unauthorized".
Also, in order to ensure the database of revocation information does
not grow unbounded over time, the responder MAY remove the status
records of expired certificates. Requests from clients for
certificates whose record has been removed will result in an
OCSPResponseStatus of "unauthorized".

Почему так - вопрос к COMODO. Вероятно, сертификат свежий, и
OCSP-респондер про него ещё не знает.

Со своей стороны nginx такой ответ для stapling'а использовать не
будет, и будет повторять попытки получить корректный ответ для
stapling'а раз в 5 минут.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Reply Quote

RSS

Subject	Author	Posted
OSCP неавторизованный запрос	Anatoly Mikhailov	April 10, 2014 02:44AM
Re: OSCP неавторизованный запрос	Maxim Dounin	April 10, 2014 07:58AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 312

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018