How to check nginx OCSP verification

Hello,

I want to configure a server with:
ssl_stapling on;
ssl_stapling_verify on;

What should happen if the ssl_trusted_certificate is
(not|mis)configured?
How to check nginx is properly configured and server-side OCSP response
verification works?

Thanks,

B. R.


nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

Hello,

You can check with this command found on this website:
https://unmitigatedrisk.com/?p=100
openssl s_client -connect login.live.com:443 -tls1 -tlsextdebug
-status

If everything goes well, you should find something like:
"OCSP response:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
…"

If there’s no stapling, you’ll get:
“OCSP response: no response sent”.

Please note: when you restart nginx, you won’t get an OCSP answer
immediatly. You’ll have to visit the URL and wait a few seconds before
having the stapling working for the next request. IIRC, this behavior is
because OCSP servers may be slow to answer.

Best Regards

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,264967,264977#msg-264977

B.R.:

I want to have details about the status nginx’ validation of the initial
OCSP query it did to the OCSP responder of the CA, especially when it goes
wrong.

we do not let nginx fetch the ocsp data itself but use
ssl_stapling_file.
a cronjob call openssl and VERIFY the ocsp resonse.

 OCSP_RESPONSE='/path/to/ocsp_response_file' # ssl_stapling_file

in nginx.conf

 # all intermediate and root certificates exept the certificate 

itself
CA_CHAIN=’/tmp/ca_chain.pem’
cat intermediate.pem root.pem > $CA_CHAIN

 DIRECT_ISSUER='root.pem' # or intermediate.pem, exact one 

certificate
CERT=‘cert.pem’ # for this certificate we need the OCSP
response…

 OCSP_URI=`openssl x509 -noout -text -in ${CERT} | grep 'OCSP -

URI:’ | cut -d: -f2,3`

 openssl ocsp -no_nonce                \
         -respout ${OCSP_RESPONSE}.tmp \
         -CAfile ${CA_CHAIN}           \
         -issuer ${DIRECT_ISSUER}      \
         -cert ${CERT}                 \
         -url ${OCSP_URI}
         ${EXTRA_ARGS}

 if [ $? -eq 0 ]; then
   # handle error
 fi

 # success
 mv ${OCSP_RESPONSE}.tmp ${OCSP_RESPONSE}
 killall -HUP nginx

EXTRA_ARGS handle some special tweaks

you may want to adjust to your needs.

Andreas

I do not want to validate OCSP responses client-side, which are OK.
I want to have details about the status nginx’ validation of the initial
OCSP query it did to the OCSP responder of the CA, especially when it
goes
wrong.

I noted that even though ssl_trusted_certificate is not set or set with
a
wrong (set of) certificate(s), a cached OCSP response will served by
nginx
to the client after an initial request has been made to a domain hosted
by
it and served through TLS.
I want to know the consequences of having such a directive badly
configured
:

  • error.log message? Found nothing
  • modified OCSP response? Nope

  • What am I supposed to notice and where/when?​

B. R.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs