How often ssl_stapling_file picks up an updated file?

Hey all.
Before I file a bugreport I’d like to consult with community to make
whether I get the whole thing right.

I use ssl_stapling_file and update that file daily.
Today I discovered that one of my SSL websites returns outdated OCSP
response, not the one which is in the OCSP stapling file:

openssl s_client -connect xxxx:443 -tls1 -tlsextdebug -status

Cert Status: good
This Update: Mar 26 06:05:34 2015 GMT
Next Update: Mar 28 06:05:34 2015 GMT

Today is April 5. I checked OCSP file, it’s fresh (April 4), has correct
permissions, readable by nginx, etc.
Then I reloaded nginx (HUP) and boom:

openssl s_client -connect xxxx:443 -tls1 -tlsextdebug -status

Cert Status: good
This Update: Apr 4 04:19:53 2015 GMT
Next Update: Apr 6 04:19:53 2015 GMT

I run a dozen of SSL websites with ssl_stapling_file but never had to
nginx to pick up an updated file (or at least I never noticed the issue
(even in FireFox which is very picky regarding OCSP)).

Is that a bug (1.7.11) or did I do it wrong all the time? :slight_smile:


Posted at Nginx Forum:

If nginx manages those files like the others (like logs), it (re)opens
on reload/restart.
You might tweak your updating script to also send a HUP signal to nginx.
would be recommanded to check the error log on reload, as errors (if
will appear there.

You might also simply use the ssl_stapling
directive, with which nginx will manage the cache of the received OCSP
answer in memory by itself.
Why are not you using this method?

B. R.