Bernardo Donadio:
Hi.
I've noticed that OCSP stapling was broken by 1.15.4, as you may see below:
---------- nginx 1.15.4 with OpenSSL 1.1.1 final --------
$ openssl s_client -connect bcdonadio.com:443 -tlsextdebug -status
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0000 - 00 .
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02 ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "extended master secret" (id=23), len=0
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = bcdonadio.com
verify return:1
OCSP response: no response sent
works here:
$ openssl11 version
OpenSSL 1.1.1 11 Sep 2018
$ echo | openssl11 s_client -connect andreasschulze.de:443 -servername
andreasschulze.de -tlsextdebug -status 2>&1 | grep -i ocsp
OCSP response:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
(webserver) # nginx -V
nginx version: nginx/1.15.4
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/usr ...
worth to mention: I'm using the configuration option "ssl_stapling_file"
If you don't use ssl_stapling_file, after a nginx restart the first
TLS session will not contain OCSP data.
Did you try to measure twice?
Andreas
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx