Hello! On Sun, Apr 13, 2014 at 11:27:17AM +0300, shimi wrote:
> Hi, > > I'm contacting the list after doing some Google-foo and not finding > anything - not sure if this is due to my searching skills, or because > nobody ever asked about this... pardon me if it's a known issue, and a link > to a relevant resource would be appreciated in such a case. > > I'm using Nginx as a reverse HTTP proxy to Tomcat, primarily for the > purpose of doing OCSP stapling. > > When Nginx starts for the first time, and there's no cached OCSP response, > the first client to try an OCSP will fail; I understand that this is by > design, and I've overcome it by simply 'warming' the cached manually by > using OpenSSL's s_client... of course I'll be happy to learn there's a way > to make Nginx block and get OCSP response if there's a cache miss (I > understand that blocking every time in case of OCSP server being down won't > help performance much, but I guess cache can be negative in such a case, > instead of a miss, and maybe this is already the case...) > > Anyways, that's not the main issue I have. > > The main issue I have is that when a revoked certificate is being used by > Nginx, and an OCSP is being conducted against the server port where this > certificate is served. > > Watching the packets arriving from ocsp.digicert.com via Wireshark, I see > the OCSP response saying that the certificate is revoked (so, Nginx seems > to be querying the OCSP server fine?), and I also see this in Nginx's error > log: > > 2014/04/07 17:44:41 [error] 27005#0: certificate status "revoked" in the > OCSP response while requesting certificate status, responder: > ocsp.digicert.com > > Yet, the OpenSSL s_client, even after multiple attempts (so the cache > should be "warm"), returns that no OCSP response was returned from the > server... > > Naturally, I would expect the response to be proxied by Nginx back to the > client. > > What am I missing / doing wrong? :) As long as no good OCSP response is received, nginx will not staple anything as it doesn't make sense (moreover, it may be harmful, e.g. if the response isn't verified). -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
