OCSP response: no response sent

I am trying to get OCSP Stapling working in Nginx 1.3.7 with SPDY
patch.spdy-52.txt built against OpenSSL 1.0.1c. SSL and SPDY
connections to the server work fine.

Let me explain what I have done so far and perhaps someone can point
me in the right direction or if I have made a mistake somewhere.

The OCSP section of the nginx.conf under the SSL config looks like
this. The full certificate chain is in the “ssl_certificate
/ssl_keys/domain_ssl.crt” file and clients connect without issue.

SSL Certs

  ssl on;
  ssl_session_cache shared:SSL:10m;
  ssl_certificate /ssl_keys/domain_ssl.crt;
  ssl_certificate_key /ssl_keys/domain_ssl.key;
  ssl_ecdh_curve secp521r1;

OCSP Stapling

  resolver 127.0.0.1;
  ssl_stapling on;
#ssl_stapling_verify on;
  ssl_stapling_file /ssl_keys/domain.staple;
#ssl_trusted_certificate /ssl_keys/domain_issuer.crt;
#ssl_stapling_responder http://ocsp.comodoca.com;

According to the Nginx documentation I need to make a DER file for the
“ssl_stapling_file” directive in order to send out the OCSP stapling
response as part of the first connection. The domain.staple file was
made like so. Special thanks to the group over at
Nginx Secure SSL Web Server @ Calomel.org for getting me this far and allowing me
to use their server for testing against.

collect all the certificates and put them into separate files.

level0 is the domain cert, level1 certificate authority and level2 is
the root over the CA.
openssl s_client -showcerts -connect calomel.org:443 < /dev/null | awk
-v c=-1 ‘/-----BEGIN CERTIFICATE-----/{inc=1;c++} inc {print >
(“level” c “.crt”)} /—END CERTIFICATE-----/{inc=0}’

Look at the certificates and that they look like the correct format.

for i in level?.crt; do openssl x509 -noout -serial -subject -issuer
-in “$i”; echo; done

Put all of the publicly available certs into a bundle

cat level{0,1,2}.crt > CAbundle.crt

Collect the OCSP response and make the DER domain.staple file. Make

sure “Cert Status: good” and “Response verify OK”
openssl ocsp -text -no_nonce -issuer level1.crt -CAfile CAbundle.crt
-cert level0.crt -VAfile level1.crt -url http://ocsp.comodoca.com
-respout domain.staple

At this point I believe have done everything correctly and the
domain.staple DER formatted file is right. When I test my server with
the same steps as above, but with my own domain name instead of
calomel.org, I still get “OCSP response: no response sent” when I test
with openssl client.

This is the openssl client line I used for testing to see what a OCSP
server response would look like. I tested two servers.

this server’s OCSP stapling response seems to work

openssl s_client -connect login.live.com:443 -tls1 -tlsextdebug
-status

OCSP response:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response

calomel…org does not support OSCP stapling (yet) and I get the same

result on my server’s domain…
openssl s_client -connect calomel.org:443 -tls1 -tlsextdebug -status
-CAfile /usr/lib/ssl/certs/AddTrust_External_Root.pem

OCSP response: no response sent

Sorry for the long email, but I want to be as clear as I could. Any
help would be appreciated. Thanks!

Hello!

On Wed, Oct 03, 2012 at 04:25:47PM -0400, CM Fields wrote:

#ssl_stapling_verify on;
  ssl_stapling_file /ssl_keys/domain.staple;
#ssl_trusted_certificate /ssl_keys/domain_issuer.crt;
#ssl_stapling_responder http://ocsp.comodoca.com;

Just a side note: in most cases just switching on ssl_stapling and
configuring resolver is enough, nginx will do anything else. If
it won’t be able to, it will complain at “warn” level to error
log. The ssl_stapling_file is mostly intended for debugging.

According to the Nginx documentation I need to make a DER file for the
“ssl_stapling_file” directive in order to send out the OCSP stapling
response as part of the first connection. The domain.staple file was

As stapling is an optimization mechanism, you probably don’t care
much about the first connection. First connection will initiate a
OCSP request from nginx, and as soon as response is available it
will be stapled.

-cert level0.crt -VAfile level1.crt -url http://ocsp.comodoca.com
This is the openssl client line I used for testing to see what a OCSP

calomel…org does not support OSCP stapling (yet) and I get the same

result on my server’s domain…
openssl s_client -connect calomel.org:443 -tls1 -tlsextdebug -status
-CAfile /usr/lib/ssl/certs/AddTrust_External_Root.pem

OCSP response: no response sent

The main question is: in which server you’ve configured stapling?
I.e. are you using dedicated ip/port, or try to use name-based
virtualhosts instead?

Note that with SSL it’s not that easy to do virtualhosts
correctly, even if SNI is supported by many clients as of now. In
particular the above openssl command won’t set servername and
hence will hit default server.

Additionally, while looking into this I’ve found that due to
OpenSSL bug the OCSP stapling won’t work at all if it’s not
enabled in the default server.


Maxim D.

Hello!

On Thu, Oct 04, 2012 at 02:31:41PM -0400, CM Fields wrote:

I noticed the OCSP Response Data has an update time and a “next” update time.

Cert Status: good
This Update: Oct 4 00:00:37 2012 GMT
Next Update: Oct 8 00:00:37 2012 GMT

Am I correct in assuming nginx will cache the OSCP Response Data at
least till “Next Update” time thus reducing the amount of OCSP
requests going to the CA?

Not exactly. As of now, nginx will cache valid responses for 1
hour, and errors for 5 mins.

Finally, just a heads up. If I incorrectly put “ssl_stapling on;” in
the parent http{} area Nginx 1.3.7 will crash/dump.

Ooops, thank you for report. Fix:

— a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -737,7 +737,7 @@ ngx_http_ssl_init(ngx_conf_t *cf)

     sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
  •    if (!sscf->stapling) {
    
  •    if (sscf->ssl.ctx == NULL || !sscf->stapling) {
           continue;
       }
    

(Committed, see Changeset 4888:3abac956f6c8 – nginx)

connections to the server work fine.
ssl_session_cache shared:SSL:10m;
#ssl_stapling_responder http://ocsp.comodoca.com;
As stapling is an optimization mechanism, you probably don’t care
the root over the CA.

the same steps as above, but with my own domain name instead of

OCSP response: no response sent

[email protected]
nginx Info Page


nginx mailing list
[email protected]
nginx Info Page


Maxim D.

Maxim,

Thank you. I was using virtual hosts. Once I switched my conf over to
using a default ssl server block, with “server _;” ocsp stapling
worked with the openssl client test. This is perfectly fine in my
situation. All that was needed is “ssl_stapling on;” and the resolver
line just like you mentioned.

Question:

I noticed the OCSP Response Data has an update time and a “next” update
time.

Cert Status: good
This Update: Oct 4 00:00:37 2012 GMT
Next Update: Oct 8 00:00:37 2012 GMT

Am I correct in assuming nginx will cache the OSCP Response Data at
least till “Next Update” time thus reducing the amount of OCSP
requests going to the CA?

Finally, just a heads up. If I incorrectly put “ssl_stapling on;” in
the parent http{} area Nginx 1.3.7 will crash/dump.

Again, thanks for a great web server.

Hi!

Additionally, while looking into this I’ve found that due to
OpenSSL bug the OCSP stapling won’t work at all if it’s not
enabled in the default server.

Please, add this to the documentation.

Posted at Nginx Forum: