Differing ocsp responses

I think I’ve got ocsp stapling setup correctly with Nginx (1.9.0). I am
seeing valid OCSP responses however if I keep querying the same server I
also frequently see “No response”. The OCSP responses are valid for
seven
days. Is each worker doing its own OCSP query independently of the
others?
Or is there something else happening?

Hello,

Nginx uses a per worker OCSP cache.

Ok, that explains it then. Does the cache survive reloads? Or does it
need
to requery?

On Wed, Jun 29, 2016 at 1:23 AM, Kurt C. [email protected]

nginx workers are recreated on reload (read
http://nginx.org/en/docs/control.html#reconfiguration), nothing can thus
remains from past cache at this level.

B. R.

On Wed, Jun 29, 2016 at 6:26 PM, itpp2012 [email protected]

CJ Ess Wrote:

Ok, that explains it then. Does the cache survive reloads? Or does it
need
to requery?

See also https://forum.nginx.org/read.php?2,249249,249249#msg-249249

"When Nginx starts for the first time, and there’s no cached OCSP
response,
the first client to try an OCSP will fail; I understand that this is by
design, and I’ve overcome it by simply ‘warming’ the cached manually by
using OpenSSL’s s_client… "

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,267945,267953#msg-267953

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service