Re: SSL issues after upgrading from 7.3 to 7.4
On 2023-10-21, Theo Buehler wrote: > On Sat, Oct 21, 2023 at 09:23:51AM +0300, Mark wrote: >> So, no idea on this? > > No. OCSP does work for me on 7.4 when enabled, both with httpd and nginx. > With nginx, you need to have accessed the page at least once so it > fetches and caches the staple and that may depend on the per worker > process. Confirmed here. Also note that, if you have multiple workers configured, the OCSP staple cache does not seem to be shared between them. Check error logs for anything relevant too.
Re: SSL issues after upgrading from 7.3 to 7.4
On Sat, Oct 21, 2023 at 09:23:51AM +0300, Mark wrote: > So, no idea on this? No. OCSP does work for me on 7.4 when enabled, both with httpd and nginx. With nginx, you need to have accessed the page at least once so it fetches and caches the staple and that may depend on the per worker process. I see no fundamental issues in my testing and this was confirmed independently by others who have various setups with various CAs. For example doing $ nc -cvz www.openbsd.org 443 will show good OCSP stapling. Similar with $ openssl s_client -status -connect www.openbsd.org:443 on several OS with various openssl variants. So there are no SSL issues per se. > There are people having similar SSL issues (have been reading about them in > IRC channels) I take your word for it. No actionable bug report reached the relevant mailing lists. A minimal, known working configuration with 7.3 that stops working with 7.4 will probably help.
Re: SSL issues after upgrading from 7.3 to 7.4
Do you mind to post your nginx ssl configuration together with your resolver directive? -- Daniele Bonini Mark wrote: > > "SERVER DOES NOT SUPPORT OCSP STAPLING" after the upgrade. > > > > However, again, OCSP stapling is implemented correctly in my > > nginx.conf file, working since a year.
Re: SSL issues after upgrading from 7.3 to 7.4
So, no idea on this? There are people having similar SSL issues (have been reading about them in IRC channels) I don't use TLSv1.0, TLSv1.1 neither. I'm aware of the related-changes in 7.4. Best, Mark. Mark , 16 Eki 2023 Pzt, 22:01 tarihinde şunu yazdı: > Hi. > > First of all, thank you very much for all your great efforts on 7.4! > > I upgraded my VPS from 7.3 to 7.4, and It's weird that, after upgrade, > Qualys SSL Labs test for HTTPS/SSL websites gives: > "HTTP request to this server failed, see below for details." > > However, my website works fine with browsers, > and my nginx configuration has nothing weird at all, > checked with "nginx -t", I had no such message as I checked just before I > upgraded. > > And also, one more tool; immuniweb.com/ssl/ reports: > "SERVER DOES NOT SUPPORT OCSP STAPLING" after the upgrade. > > However, again, OCSP stapling is implemented correctly in my nginx.conf > file, working since a year. > > And just before upgrade, I had no such messages from none of those SSL > checkers. > > and I haven't changed anything at all regarding my nginx configuration. > > My VPS is rented from Hetzner, and I had created a snapshot of it just > before the upgrade process. > So, now one-click revert to older snapshot, back to OpenBSD 7.3, both > tests' reports are fine now. > > No more "HTTP request to this server failed" from Qualys SSL Labs, > and no more "SERVER DOES NOT SUPPORT OCSP STAPLING" from Immuniweb SSL > test. > > Obviously, something is not good with 7.4? > > My SSL certificates are from Let's Encrypt, and I have "ssl_protocols > TLSv1.3 TLSv1.2;" in my nginx.conf, if that would help? > > Best Wishes, > > Mark. >
SSL issues after upgrading from 7.3 to 7.4
Hi. First of all, thank you very much for all your great efforts on 7.4! I upgraded my VPS from 7.3 to 7.4, and It's weird that, after upgrade, Qualys SSL Labs test for HTTPS/SSL websites gives: "HTTP request to this server failed, see below for details." However, my website works fine with browsers, and my nginx configuration has nothing weird at all, checked with "nginx -t", I had no such message as I checked just before I upgraded. And also, one more tool; immuniweb.com/ssl/ reports: "SERVER DOES NOT SUPPORT OCSP STAPLING" after the upgrade. However, again, OCSP stapling is implemented correctly in my nginx.conf file, working since a year. And just before upgrade, I had no such messages from none of those SSL checkers. and I haven't changed anything at all regarding my nginx configuration. My VPS is rented from Hetzner, and I had created a snapshot of it just before the upgrade process. So, now one-click revert to older snapshot, back to OpenBSD 7.3, both tests' reports are fine now. No more "HTTP request to this server failed" from Qualys SSL Labs, and no more "SERVER DOES NOT SUPPORT OCSP STAPLING" from Immuniweb SSL test. Obviously, something is not good with 7.4? My SSL certificates are from Let's Encrypt, and I have "ssl_protocols TLSv1.3 TLSv1.2;" in my nginx.conf, if that would help? Best Wishes, Mark.
