subject:"Re\: err with multiple TLS sites but one OCSP\?"

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Michael W. Lucas

On Fri, Jan 27, 2017 at 09:53:25PM +, Bob Beck wrote:
>On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas
>  Or a misconfiguration. ? show configs


Configs follow.

# cat /etc/httpd.conf
include "/etc/sites/www3.conf"
include "/etc/sites/www4.conf"

www3.conf:

server "www3.mwlucas.org" {
   listen on * port 80
   block return 302 "https://$SERVER_NAME$REQUEST_URI;
}


server "www3.mwlucas.org" {
alias tarpit.mwlucas.org
listen on * tls port 443
hsts
# TLS certificate and key files created with acme-client(1)
tls certificate "/etc/ssl/acme/www3/www3.fullchain.pem"
tls key "/etc/ssl/acme/www3/www3.key"
tls ocsp "/etc/ssl/acme/www3/www3.der"
tcp nodelay

   location "/.well-known/acme-challenge/*" {
   root "/acme"
   root strip 2
   }
}


www4:

server "www4.mwlucas.org" {
alias bill.mwlucas.org
alias auction.mwlucas.org
listen on * port 80

   location "/.well-known/acme-challenge/*" {
   root "/acme"
   root strip 2
   }


block return 301 "https://$DOCUMENT_URI;
}

server "www4.mwlucas.org" {
alias bill.mwlucas.org
alias auction.mwlucas.org
root "/www4"
listen on * tls port 443
hsts
# TLS certificate and key files created with acme-client(1)
tls certificate "/etc/ssl/acme/www4/www4.fullchain.pem"
tls key "/etc/ssl/acme/www4/www4.key"
#   tls ocsp "/etc/ssl/acme/www4/www4.der"
tcp nodelay
   location "/.well-known/acme-challenge/*" {
   root "/acme"
   root strip 2
   }

}




-- 
Michael W. LucasTwitter @mwlauthor 
nonfiction: https://www.michaelwlucas.com/
fiction: https://www.michaelwarrenlucas.com/
blog: http://blather.michaelwlucas.com/

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Bob Beck

On Fri, Jan 27, 2017 at 15:23 Stuart Henderson  wrote:

> On 2017/01/27 22:09, Bob Beck wrote:
>
> > I think you have more issues than ocsp. if thats the same host you can't
>
> > have two different tls certs on the same ip.   and you have them both on
>
> > *443
>
> >
>
> > try using a separate ip for each
>
>
>
> Wasn't SNI support added to httpd already?
>
> hmmm. right. but i bet itll work with explicit separate ip's.  stapling on
> the other hand will be per config. so thats probably whats fighting.
> separate ip would confirm that.


> im tired. ill look at it tomorrow unless someone else does
>
>
>

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Stuart Henderson

On 2017/01/27 22:09, Bob Beck wrote:
> I think you have more issues than ocsp. if thats the same host you can't
> have two different tls certs on the same ip.   and you have them both on
> *443
> 
> try using a separate ip for each

Wasn't SNI support added to httpd already?

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Bob Beck

I think you have more issues than ocsp. if thats the same host you can't
have two different tls certs on the same ip.   and you have them both on
*443

try using a separate ip for each



On Fri, Jan 27, 2017 at 15:03 Michael W. Lucas 
wrote:

> On Fri, Jan 27, 2017 at 09:53:25PM +, Bob Beck wrote:
>
> >On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas
>
> >  Or a misconfiguration. Â show configs
>
>
>
>
>
> Configs follow.
>
>
>
> # cat /etc/httpd.conf
>
> include "/etc/sites/www3.conf"
>
> include "/etc/sites/www4.conf"
>
>
>
> www3.conf:
>
>
>
> server "www3.mwlucas.org" {
>
>listen on * port 80
>
>block return 302 "https://$SERVER_NAME$REQUEST_URI;
>
> }
>
>
>
>
>
> server "www3.mwlucas.org" {
>
> alias tarpit.mwlucas.org
>
> listen on * tls port 443
>
> hsts
>
> # TLS certificate and key files created with acme-client(1)
>
> tls certificate "/etc/ssl/acme/www3/www3.fullchain.pem"
>
> tls key "/etc/ssl/acme/www3/www3.key"
>
> tls ocsp "/etc/ssl/acme/www3/www3.der"
>
> tcp nodelay
>
>
>
>location "/.well-known/acme-challenge/*" {
>
>root "/acme"
>
>root strip 2
>
>}
>
> }
>
>
>
>
>
> www4:
>
>
>
> server "www4.mwlucas.org" {
>
> alias bill.mwlucas.org
>
> alias auction.mwlucas.org
>
> listen on * port 80
>
>
>
>location "/.well-known/acme-challenge/*" {
>
>root "/acme"
>
>root strip 2
>
>}
>
>
>
>
>
> block return 301 "https://$DOCUMENT_URI;
>
> }
>
>
>
> server "www4.mwlucas.org" {
>
> alias bill.mwlucas.org
>
> alias auction.mwlucas.org
>
> root "/www4"
>
> listen on * tls port 443
>
> hsts
>
> # TLS certificate and key files created with acme-client(1)
>
> tls certificate "/etc/ssl/acme/www4/www4.fullchain.pem"
>
> tls key "/etc/ssl/acme/www4/www4.key"
>
> #   tls ocsp "/etc/ssl/acme/www4/www4.der"
>
> tcp nodelay
>
>location "/.well-known/acme-challenge/*" {
>
>root "/acme"
>
>root strip 2
>
>}
>
>
>
> }
>
>
>
>
>
>
>
>
>
> --
>
> Michael W. LucasTwitter @mwlauthor
>
> nonfiction: https://www.michaelwlucas.com/
>
> fiction: https://www.michaelwarrenlucas.com/
>
> blog: http://blather.michaelwlucas.com/
>
>

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Bob Beck

On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas 
wrote:

> On Fri, Jan 27, 2017 at 02:50:29PM -0500, Michael W. Lucas wrote:
>
> > On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote:
>
> > > That looks like a web server bug, it shouldn't return a staple
>
>
> Or a misconfiguration.  show configs
>
>
> > > in that case.  What software are you using for that?
>
> >
>
> > 
>
> >
>
> > OpenBSD httpd, of course. amd64 snapshot downloaded yesterday from
>
> > ftp3.usa.openbsd.org.
>
>
>
> To be clear, that's a "How the hell could I forget to include that?"
>
> facepalm, not anything about Stuart asking the question...
>
>
>
> --
>
> Michael W. LucasTwitter @mwlauthor
>
> nonfiction: https://www.michaelwlucas.com/
>
> fiction: https://www.michaelwarrenlucas.com/
>
> blog: http://blather.michaelwlucas.com/
>
>
>
>

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Michael W. Lucas

On Fri, Jan 27, 2017 at 02:50:29PM -0500, Michael W. Lucas wrote:
> On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote:
> > That looks like a web server bug, it shouldn't return a staple
> > in that case.  What software are you using for that?
> 
> 
> 
> OpenBSD httpd, of course. amd64 snapshot downloaded yesterday from
> ftp3.usa.openbsd.org.

To be clear, that's a "How the hell could I forget to include that?"
facepalm, not anything about Stuart asking the question...

-- 
Michael W. LucasTwitter @mwlauthor 
nonfiction: https://www.michaelwlucas.com/
fiction: https://www.michaelwarrenlucas.com/
blog: http://blather.michaelwlucas.com/

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Michael W. Lucas

On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote:
> That looks like a web server bug, it shouldn't return a staple
> in that case.  What software are you using for that?



OpenBSD httpd, of course. amd64 snapshot downloaded yesterday from
ftp3.usa.openbsd.org.

==ml

-- 
Michael W. LucasTwitter @mwlauthor 
nonfiction: https://www.michaelwlucas.com/
fiction: https://www.michaelwarrenlucas.com/
blog: http://blather.michaelwlucas.com/

Re: err with multiple TLS sites but one OCSP?

2017-01-27 Thread Stuart Henderson

On 2017/01/27 13:10, Michael W. Lucas wrote:
> Hi,
> 
> Not sure if this is an expected part of OCSP or a bug.
> 
> I've configured two TLS sites on one host, one with OCSP stapling
> (www3.mwlucas.org) and one without (www4.mwlucas.org). The OCSP site
> works fine, but the non-OCSP site generates an err.
> 
> It *appears* that queries to the non-OCSP site return the OCSP site's
> OCSP cert.
> 
> Following please find openssl queries on both. Feel free to check the
> sites yourself, I'm FAR from a TLS guru.

That looks like a web server bug, it shouldn't return a staple
in that case.  What software are you using for that?

> # openssl s_client -connect www4.mwlucas.org:443 -status -servername 
> www4.mwlucas.org
> ...
> verify return:1
> OCSP response:
> ==
> OCSP Response Data:
> OCSP Response Status: successful (0x0)
> Response Type: Basic OCSP Response
> Version: 1 (0x0)
> Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> Produced At: Jan 26 23:02:00 2017 GMT
> Responses:
> Certificate ID:
>   Hash Algorithm: sha1
>   Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
>   Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
>   Serial Number: 032CBDA721856F117CC7D57A72BBFA77B578
> Cert Status: good
> This Update: Jan 26 23:00:00 2017 GMT
> Next Update: Feb  2 23:00:00 2017 GMT
> 
> Signature Algorithm: sha256WithRSAEncryption
>  6a:1e:f1:44:8c:a9:a6:7e:40:25:3a:f7:50:e9:43:42:0f:74:
>  9b:dc:ee:56:a3:47:0b:ce:73:88:ee:f0:84:fc:b0:25:5b:3d:
>  67:d0:66:20:c7:60:7c:ee:26:91:72:4e:d0:f2:67:5a:e3:c1:
>  06:57:31:47:29:1a:55:19:48:e7:e6:32:0b:18:d9:33:9d:55:
>  d7:36:38:f1:96:57:bc:5d:89:82:31:bb:4e:12:0c:5c:ab:1a:
>  f6:1d:a1:48:be:1c:1d:3b:52:a0:60:2f:1d:f9:3c:48:cd:df:
>  a6:5e:b5:79:0c:b9:ed:d5:61:29:53:ee:83:5f:89:af:35:27:
>  d6:94:05:f5:fb:d1:a8:4d:26:8d:8b:cf:e9:db:53:ad:e6:47:
>  a7:db:91:9e:9d:a1:b2:2c:1e:d9:98:c5:af:5c:12:d1:04:5a:
>  82:be:8d:80:1f:38:c2:5d:b1:6f:99:e1:ca:53:71:1c:85:0d:
>  3e:f3:14:bc:3b:c9:c0:dd:6b:ec:59:d4:54:dc:fb:9c:da:72:
>  91:45:61:55:69:e9:75:51:8f:e2:82:6a:dd:ec:bc:bd:3c:2c:
>  92:43:f7:d9:65:1d:60:14:91:e0:b0:2b:46:25:49:35:74:99:
>  71:a3:c0:d0:91:66:29:7e:01:1b:35:f1:2e:40:dc:f3:4d:98:
>  69:40:6f:46
> 
> 
> # openssl s_client -connect www3.mwlucas.org:443 -status -servername 
> www3.mwlucas.org
> CONNECTED(0003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = www3.mwlucas.org
> verify return:1
> OCSP response:
> ==
> OCSP Response Data:
> OCSP Response Status: successful (0x0)
> Response Type: Basic OCSP Response
> Version: 1 (0x0)
> Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> Produced At: Jan 26 23:02:00 2017 GMT
> Responses:
> Certificate ID:
>   Hash Algorithm: sha1
>   Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
>   Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
>   Serial Number: 032CBDA721856F117CC7D57A72BBFA77B578
> Cert Status: good
> This Update: Jan 26 23:00:00 2017 GMT
> Next Update: Feb  2 23:00:00 2017 GMT
> 
> Signature Algorithm: sha256WithRSAEncryption
>  6a:1e:f1:44:8c:a9:a6:7e:40:25:3a:f7:50:e9:43:42:0f:74:
>  9b:dc:ee:56:a3:47:0b:ce:73:88:ee:f0:84:fc:b0:25:5b:3d:
>  67:d0:66:20:c7:60:7c:ee:26:91:72:4e:d0:f2:67:5a:e3:c1:
>  06:57:31:47:29:1a:55:19:48:e7:e6:32:0b:18:d9:33:9d:55:
>  d7:36:38:f1:96:57:bc:5d:89:82:31:bb:4e:12:0c:5c:ab:1a:
>  f6:1d:a1:48:be:1c:1d:3b:52:a0:60:2f:1d:f9:3c:48:cd:df:
>  a6:5e:b5:79:0c:b9:ed:d5:61:29:53:ee:83:5f:89:af:35:27:
>  d6:94:05:f5:fb:d1:a8:4d:26:8d:8b:cf:e9:db:53:ad:e6:47:
>  a7:db:91:9e:9d:a1:b2:2c:1e:d9:98:c5:af:5c:12:d1:04:5a:
>  82:be:8d:80:1f:38:c2:5d:b1:6f:99:e1:ca:53:71:1c:85:0d:
>  3e:f3:14:bc:3b:c9:c0:dd:6b:ec:59:d4:54:dc:fb:9c:da:72:
>  91:45:61:55:69:e9:75:51:8f:e2:82:6a:dd:ec:bc:bd:3c:2c:
>  92:43:f7:d9:65:1d:60:14:91:e0:b0:2b:46:25:49:35:74:99:
>  71:a3:c0:d0:91:66:29:7e:01:1b:35:f1:2e:40:dc:f3:4d:98:
>  69:40:6f:46
> ==
> ...
> 
> ==ml
> 
> 
> -- 
> Michael W. LucasTwitter @mwlauthor 
> nonfiction: https://www.michaelwlucas.com/
> fiction: https://www.michaelwarrenlucas.com/
> blog: http://blather.michaelwlucas.com/
>

Re: err with multiple TLS sites but one OCSP?

Re: err with multiple TLS sites but one OCSP?

Re: err with multiple TLS sites but one OCSP?

Re: err with multiple TLS sites but one OCSP?

Re: err with multiple TLS sites but one OCSP?

Re: err with multiple TLS sites but one OCSP?

Re: err with multiple TLS sites but one OCSP?

Re: err with multiple TLS sites but one OCSP?

8 matches

Site Navigation

Mail list logo

Footer information