I am trying to get OCSP Stapling working in Nginx 1.3.7 with SPDY
patch.spdy-52.txt built against OpenSSL 1.0.1c. SSL and SPDY
connections to the server work fine.
Let me explain what I have done so far and perhaps someone can point
me in the right direction or if I have made a mistake somewhere.
The OCSP section of the nginx.conf under the SSL config looks like
this. The full certificate chain is in the “ssl_certificate
/ssl_keys/domain_ssl.crt” file and clients connect without issue.
SSL Certs
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /ssl_keys/domain_ssl.crt;
ssl_certificate_key /ssl_keys/domain_ssl.key;
ssl_ecdh_curve secp521r1;
OCSP Stapling
resolver 127.0.0.1;
ssl_stapling on;
#ssl_stapling_verify on;
ssl_stapling_file /ssl_keys/domain.staple;
#ssl_trusted_certificate /ssl_keys/domain_issuer.crt;
#ssl_stapling_responder http://ocsp.comodoca.com;
According to the Nginx documentation I need to make a DER file for the
“ssl_stapling_file” directive in order to send out the OCSP stapling
response as part of the first connection. The domain.staple file was
made like so. Special thanks to the group over at
Nginx Secure SSL Web Server @ Calomel.org for getting me this far and allowing me
to use their server for testing against.
collect all the certificates and put them into separate files.
level0 is the domain cert, level1 certificate authority and level2 is
the root over the CA.
openssl s_client -showcerts -connect calomel.org:443 < /dev/null | awk
-v c=-1 ‘/-----BEGIN CERTIFICATE-----/{inc=1;c++} inc {print >
(“level” c “.crt”)} /—END CERTIFICATE-----/{inc=0}’
Look at the certificates and that they look like the correct format.
for i in level?.crt; do openssl x509 -noout -serial -subject -issuer
-in “$i”; echo; done
Put all of the publicly available certs into a bundle
cat level{0,1,2}.crt > CAbundle.crt
Collect the OCSP response and make the DER domain.staple file. Make
sure “Cert Status: good” and “Response verify OK”
openssl ocsp -text -no_nonce -issuer level1.crt -CAfile CAbundle.crt
-cert level0.crt -VAfile level1.crt -url http://ocsp.comodoca.com
-respout domain.staple
At this point I believe have done everything correctly and the
domain.staple DER formatted file is right. When I test my server with
the same steps as above, but with my own domain name instead of
calomel.org, I still get “OCSP response: no response sent” when I test
with openssl client.
This is the openssl client line I used for testing to see what a OCSP
server response would look like. I tested two servers.
this server’s OCSP stapling response seems to work
openssl s_client -connect login.live.com:443 -tls1 -tlsextdebug
-status
…
OCSP response:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
…
calomel…org does not support OSCP stapling (yet) and I get the same
result on my server’s domain…
openssl s_client -connect calomel.org:443 -tls1 -tlsextdebug -status
-CAfile /usr/lib/ssl/certs/AddTrust_External_Root.pem
…
OCSP response: no response sent
…
Sorry for the long email, but I want to be as clear as I could. Any
help would be appreciated. Thanks!