Hello,
I want to configure a server with:
ssl_stapling on;
ssl_stapling_verify on;
What should happen if the ssl_trusted_certificate is
(not|mis)configured?
How to check nginx is properly configured and server-side OCSP response
verification works?
B. R.
Hello,
You can check with this command found on this website:
https://unmitigatedrisk.com/?p=100
openssl s_client -connect login.live.com:443 -tls1 -tlsextdebug
-status
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
…"
If there’s no stapling, you’ll get:
“OCSP response: no response sent”.
Please note: when you restart nginx, you won’t get an OCSP answer
immediatly. You’ll have to visit the URL and wait a few seconds before
having the stapling working for the next request. IIRC, this behavior is
because OCSP servers may be slow to answer.
Best Regards
Posted at Nginx Forum:
B.R.:
I want to have details about the status nginx’ validation of the initial
OCSP query it did to the OCSP responder of the CA, especially when it goes
wrong.
we do not let nginx fetch the ocsp data itself but use
ssl_stapling_file.
a cronjob call openssl and VERIFY the ocsp resonse.
OCSP_RESPONSE='/path/to/ocsp_response_file' # ssl_stapling_file
in nginx.conf
# all intermediate and root certificates exept the certificate
itself
CA_CHAIN=‘/tmp/ca_chain.pem’
cat intermediate.pem root.pem > $CA_CHAIN
DIRECT_ISSUER='root.pem' # or intermediate.pem, exact one
certificate
CERT=‘cert.pem’ # for this certificate we need the OCSP
response…
OCSP_URI=`openssl x509 -noout -text -in ${CERT} | grep 'OCSP -
URI:’ | cut -d: -f2,3`
openssl ocsp -no_nonce \
-respout ${OCSP_RESPONSE}.tmp \
-CAfile ${CA_CHAIN} \
-issuer ${DIRECT_ISSUER} \
-cert ${CERT} \
-url ${OCSP_URI}
${EXTRA_ARGS}
if [ $? -eq 0 ]; then
# handle error
fi
# success
mv ${OCSP_RESPONSE}.tmp ${OCSP_RESPONSE}
killall -HUP nginx
EXTRA_ARGS handle some special tweaks
Startcom: https://forum.startcom.org/viewtopic.php?f=15&t=2661
EXTRA_ARGS=‘-header HOST ocsp.startssl.com’
Let’s Entrypt:
Unable to verify OCSP response - #3 by jsha - Server - Let's Encrypt Community Support
EXTRA_ARGS=‘-header HOST ocsp.int-x1.letsencrypt.org -verify_other
${DIRECT_ISSUER}’
you may want to adjust to your needs.
Andreas
I do not want to validate OCSP responses client-side, which are OK.
I want to have details about the status nginx’ validation of the initial
OCSP query it did to the OCSP responder of the CA, especially when it
goes
wrong.
I noted that even though ssl_trusted_certificate is not set or set with
a
wrong (set of) certificate(s), a cached OCSP response will served by
nginx
to the client after an initial request has been made to a domain hosted
by
it and served through TLS.
I want to know the consequences of having such a directive badly
configured
:
B. R.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs