Re: How to enable OCSP stapling when default server is self-signed?

Considering your rather old version of nginx coming from Ubuntu packages, I suggest you use the lastest stable, officially available on nginx.org . Not related to your issue, but should not hurt (except with regressions ofc ;) ). --- *B. R.* On

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin Wrote: --- > Hello! > > On Wed, Sep 28, 2016 at 12:44:45PM -0400, hotwirez wrote: > > [...] > > > I wanted to mention that I've run into this issue as well when > trying to > > enable OCSP stapling, where I have a default_deny SSL

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Wed, Sep 28, 2016 at 12:44:45PM -0400, hotwirez wrote: [...] > I wanted to mention that I've run into this issue as well when trying to > enable OCSP stapling, where I have a default_deny SSL server that has a > self-signed certificate where I don't want to use OCSP stapling, and

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin Wrote: --- > Hello! > > On Sun, Apr 12, 2015 at 12:21:19PM -0400, numroo wrote: > > > >> Yes, I ran the s_client command multiple times to account for the > nginx > > >> responder delay. I was testing OCSP stapling on just one of

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 Wrote: --- Note that this isn't really indicate anything: there are two forms of OCSP requests, POST and GET. And Firefox uses POST, while nginx uses GET. Given the fact that the responder was completely broken just a few days

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Thu, May 07, 2015 at 02:28:12PM -0400, 173279834462 wrote: [...] It turns out that the problem is security.ssl.enable_ocsp_stapling, which is true by default. If I disable it, then FF loads the web sites. If I re-enable it, then FF complains again: Secure Connection Failed

Re: How to enable OCSP stapling when default server is self-signed?

This depends on how your certificate is issued. If your certificate is issued directly by root CA certificate, then you don't need any extra certs here. If there are some intermediate certs, then you'll have to put them also. When this directive was introduced, almost all certificates were

Re: How to enable OCSP stapling when default server is self-signed?

Finally had some time to construct an extremely basic server configuration with a default HTTP and HTTPS server and test it. I'm working on a production server, so there are quite a few requests every second and therefore the downtime had to be scheduled into a tiny window of opportunity. I also

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Sun, Apr 12, 2015 at 12:21:19PM -0400, numroo wrote: Yes, I ran the s_client command multiple times to account for the nginx responder delay. I was testing OCSP stapling on just one of my domains. Then I read that the 'default_server' SSL server also has to have OCSP stapling

Re: How to enable OCSP stapling when default server is self-signed?

Yes, I ran the s_client command multiple times to account for the nginx responder delay. I was testing OCSP stapling on just one of my domains. Then I read that the 'default_server' SSL server also has to have OCSP stapling enabled for vhost OCSP stapling to work:

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin Wrote: --- Hello! On Tue, Apr 07, 2015 at 12:26:23AM -0400, bughunter wrote: [...] So how do I enable OCSP stapling for my vhosts when the default server cert is self-signed? This seems like a potential bug in

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Wed, Apr 08, 2015 at 02:30:12AM -0400, bughunter wrote: Maxim Dounin Wrote: --- Hello! On Tue, Apr 07, 2015 at 12:26:23AM -0400, bughunter wrote: [...] So how do I enable OCSP stapling for my vhosts when the

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Tue, Apr 07, 2015 at 12:26:23AM -0400, bughunter wrote: [...] So how do I enable OCSP stapling for my vhosts when the default server cert is self-signed? This seems like a potential bug in the nginx SSL module. Just enable ssl_stapling in appropriate server{} blocks.

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Sun, Apr 05, 2015 at 11:26:19PM -0400, bughunter wrote: My web server is intentionally set up to only support virtual hosts and TLS SNI. I know that the latter eliminates some ancient web browsers but I don't care about those browsers. I want to enable OCSP stapling and it seems

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin Wrote: --- Hello! On Sun, Apr 05, 2015 at 11:26:19PM -0400, bughunter wrote: My web server is intentionally set up to only support virtual hosts and TLS SNI. I know that the latter eliminates some ancient web browsers

How to enable OCSP stapling when default server is self-signed?

My web server is intentionally set up to only support virtual hosts and TLS SNI. I know that the latter eliminates some ancient web browsers but I don't care about those browsers. I want to enable OCSP stapling and it seems to be configured correctly in my test vhost (everything else about SSL