How often ssl_stapling_file picks up an updated file?

Hey all.
Before I file a bugreport I’d like to consult with community to make
sure
whether I get the whole thing right.

I use ssl_stapling_file and update that file daily.
Today I discovered that one of my SSL websites returns outdated OCSP
response, not the one which is in the OCSP stapling file:

openssl s_client -connect xxxx:443 -tls1 -tlsextdebug -status

Cert Status: good
This Update: Mar 26 06:05:34 2015 GMT
Next Update: Mar 28 06:05:34 2015 GMT

Today is April 5. I checked OCSP file, it’s fresh (April 4), has correct
permissions, readable by nginx, etc.
Then I reloaded nginx (HUP) and boom:

openssl s_client -connect xxxx:443 -tls1 -tlsextdebug -status

Cert Status: good
This Update: Apr 4 04:19:53 2015 GMT
Next Update: Apr 6 04:19:53 2015 GMT

I run a dozen of SSL websites with ssl_stapling_file but never had to
HUP
nginx to pick up an updated file (or at least I never noticed the issue
(even in FireFox which is very picky regarding OCSP)).

Is that a bug (1.7.11) or did I do it wrong all the time? :slight_smile:

Thanks.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,257831,257831#msg-257831

If nginx manages those files like the others (like logs), it (re)opens
them
on reload/restart.
You might tweak your updating script to also send a HUP signal to nginx.
It
would be recommanded to check the error log on reload, as errors (if
any)
will appear there.

You might also simply use the ssl_stapling
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
directive, with which nginx will manage the cache of the received OCSP
answer in memory by itself.
Why are not you using this method?

B. R.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs