Ocsp stapling

Rafa_F · August 22, 2015, 4:41am

I have my nginx virtual host set to enable ocsp stapling but it doesn’t
actually do it. Ssllabs testing reports no. OpenSSL cli testing reports
nothing.

Nginx v1.8.0
Centos 6.7 64bit
OpenSSL 1.0.1e

I only have the ocsp config on one domain for testing. Any thoughts?
Thanks.

–

Fabe

Fabian_Santiago · August 22, 2015, 8:35pm

I have been using Nginx 1.8.X with ocsp stabling for a couple of weeks
and
it seems to be fine. Please send your config files, it may help…

Posted at Nginx Forum:

Fabian_Santiago · August 22, 2015, 8:47pm

Sure,

here is the relevant portion of my virtual hosts config:

server {
listen 443 ssl;
server_name ;

client_max_body_size 64m;
client_body_timeout 60;

access_log /var/log/nginx/…;
error_log /var/log/nginx/…;

root /var/www/html/rc/;
index index.html index.php;

ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate /etc/pki/tls/private/…pem;
ssl_certificate_key /etc/pki/tls/private/…pem;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 4h;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/pki/tls/private/dhparams.pem;

add_header Public-Key-Pins-Report-Only
‘pin-sha256=“amMeV6gb9QNx0Zf7FtJ19Wa/t2B7KpCF/1n2Js3UuSU=”;
pin-sha256=“hXVOamtUHc8T8jznu+VMpu6wgk3ASIUi6YM4obeAEDw=”;
max-age=31536000; includeSubDomains’;

add_header Strict-Transport-Security “max-age=31536000;
includeSubdomains”;

resolver 127.0.0.1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/pki/tls/private/root_store/…pem;

Fabian_Santiago · August 23, 2015, 10:01am

Config files seems to be OK. Just make sure “ssl_trusted_certificate”
contais the intermediate & root certificates (in that order from top to
bottom).

You can test with the following command:

echo QUIT | openssl s_client -connect yourhost.com:443 -status 2>
/dev/null
| grep -A 17 ‘OCSP response:’ | grep -B 17 ‘Next Update’

good luck

Posted at Nginx Forum:

Fabian_Santiago · August 23, 2015, 10:31pm

Update;

it all works now. once i enabled ocsp stapling for ALL of my virtual
domains, they then all began reporting correct results.

fabe

Fabian_Santiago · August 23, 2015, 3:56pm

Thanks.

It does.

Test produces no results.

Not working on ssllabs (no result).

I’m clueless. I’ve seen mention out on the web about making sure you
define ocsp for the default site or none else will work. I also make use
of sni as I only have one ip address.

I have no truly “default” site configured.

Could be related? I am new to nginx so I’m still learning lots. Thanks
again.

–

Fabe