Re: OCSP stapling for client certificates

https://trac.nginx.org/nginx/ticket/1534 > On Dec 4, 2019, at 9:31 AM, ramirezc wrote: > > I have the same question ast itplayer: Other than CRL, any other alternative > way we can do OCSP validation in the pipeline? > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,252893,28640

Re: OCSP stapling for client certificates

I have the same question ast itplayer: Other than CRL, any other alternative way we can do OCSP validation in the pipeline? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,252893,286405#msg-286405 ___ nginx mailing list nginx@nginx.org http:/

Re: OCSP stapling for client certificates

Other than CRL, any other alternative way we can do OCSP validation in the pipeline? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,252893,283766#msg-283766 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/ngi

Re: OCSP stapling broken with 1.15.4

Am 01.10.18 um 15:43 schrieb Bernardo Donadio: > I've restored the 1.15.4 package and have been making some requests. > Some of them are correctly stapled, others do not. There's no restart > between tests. maybe you run multiple threads and for each thread there is one first request? > I'm no

RE: OCSP stapling broken with 1.15.4

> Indeed, with further tests I think that the stapling is working... > sometimes. > > > I'm not using the staple file, though. Is this behavior expected without such > configuration? Also, I've enabled ssl_early_data. Each nginx worker has it's own cache. Depending on your worker_processes you m

Re: OCSP stapling broken with 1.15.4

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/1/18 10:04 AM, A. Schulze wrote: > Did you try to measure twice? Indeed, with further tests I think that the stapling is working... sometimes. I've restored the 1.15.4 package and have been making some requests. Some of them are correctly sta

Re: OCSP stapling broken with 1.15.4

Bernardo Donadio: Hi. I've noticed that OCSP stapling was broken by 1.15.4, as you may see below: -- nginx 1.15.4 with OpenSSL 1.1.1 final $ openssl s_client -connect bcdonadio.com:443 -tlsextdebug -status CONNECTED(0003) TLS server extension "renegotiation

OCSP stapling broken with 1.15.4

Hi. I've noticed that OCSP stapling was broken by 1.15.4, as you may see below: -- nginx 1.15.4 with OpenSSL 1.1.1 final $ openssl s_client -connect bcdonadio.com:443 -tlsextdebug -status CONNECTED(0003) TLS server extension "renegotiation info" (id=65281),

Re: OCSP stapling priming and logging

  10.01.2018, 03:02, "Maxim Dounin" :Hello!On Mon, Jan 08, 2018 at 11:38:56PM +1300, Thomas Valentine wrote: I've spent a bit of time setting up my server with SSL, and checkingfor OCSP stapling to be working - couldn't work out why it wasn'tsending the OCS

Re: OCSP stapling priming and logging

Hello! On Mon, Jan 08, 2018 at 11:38:56PM +1300, Thomas Valentine wrote: >I've spent a bit of time setting up my server with SSL, and checking > for OCSP stapling to be working - couldn't work out why it wasn't >sending the OCSP reply but it's as I w

OCSP stapling priming and logging

I've spent a bit of time setting up my server with SSL, and checking for OCSP stapling to be working - couldn't work out why it wasn't sending the OCSP reply but it's as I was querying the server as the first hit before it had primed the response. This isn't mentioned in

Re: OCSP stapling and resolver

Hello! On Tue, Sep 26, 2017 at 05:24:26PM +0200, Grzegorz Kulewski wrote: > W dniu 26.09.2017 15:20, Maxim Dounin pisze: > > Hello! > > > > On Tue, Sep 26, 2017 at 03:48:57AM +0200, Grzegorz Kulewski > > wrote: > > > >> Is resolver in nginx st

Re: OCSP stapling and resolver

W dniu 26.09.2017 15:20, Maxim Dounin pisze: > Hello! > > On Tue, Sep 26, 2017 at 03:48:57AM +0200, Grzegorz Kulewski wrote: > >> Is resolver in nginx still needed for OCSP stapling? > > Yes. > >> I am getting a warning from nginx if resolver is not suppl

Re: OCSP stapling and resolver

Hello! On Tue, Sep 26, 2017 at 03:48:57AM +0200, Grzegorz Kulewski wrote: > Is resolver in nginx still needed for OCSP stapling? Yes. > I am getting a warning from nginx if resolver is not supplied > but at the same time both Qualys and openssl s_client output > suggest OCSP

Re: OCSP stapling and resolver

Grzegorz Kulewski: Hello, Is resolver in nginx still needed for OCSP stapling? I am getting a warning from nginx if resolver is not supplied but at the same time both Qualys and openssl s_client output suggest OCSP stapling is working. Strange There are two options - let nginx fetch

OCSP stapling and resolver

Hello, Is resolver in nginx still needed for OCSP stapling? I am getting a warning from nginx if resolver is not supplied but at the same time both Qualys and openssl s_client output suggest OCSP stapling is working. Strange. -- Grzegorz Kulewski g...@leniwiec.biz +48 663 92 88 95

Re: OCSP stapling

Hello! On Tue, Nov 08, 2016 at 12:36:13PM +0100, Christian Cioni wrote: > Hi, > > on my server have activated a SSL in SNI configuration without problems, but > for the OCSP stapling configurations, receive always “no response sent“ > > > > On m

Re: OCSP stapling

configuration without problems, > but for the OCSP stapling configurations, receive always “no response sent“ > > > > On my configuration have add: > > ssl_trusted_certificate /etc/nginx/ssl/CA.pem; > > ssl_stapling on; > > ssl_stapling_verify on;

OCSP stapling

Hi, on my server have activated a SSL in SNI configuration without problems, but for the OCSP stapling configurations, receive always “no response sent“ On my configuration have add: ssl_trusted_certificate /etc/nginx/ssl/CA.pem; ssl_stapling on; ssl_stapling_verify on; What can I

Re: ocsp-stapling through http proxy?

Am 2016-10-13 16:13, schrieb Reinis Rozitis: You mean a transparent proxy? In our case, this is not possible. It's not really transparent. As far as I understand you have a problem with opening outgoing traffic to _random_ destination but you are fine if such traffic is pushed through some pro

Re: ocsp-stapling through http proxy?

You mean a transparent proxy? In our case, this is not possible. It's not really transparent. As far as I understand you have a problem with opening outgoing traffic to _random_ destination but you are fine if such traffic is pushed through some proxy server (which in general means that the p

Re: ocsp-stapling through http proxy?

- use an explicitly configured OCSP responder with the ssl_stapling_responder directive. It allows to configure your own OCSP responder at a fixed address, and then proxy requests to the real responder. See http://nginx.org/r/ssl_stapling_responder for details. Ohh totally have looked

Re: ocsp-stapling through http proxy?

t, which is kind of exactly the opposite of what I want to do. > And that's ignoring for a moment the necessity to allow outbound DNS... > > It would be cool if nginx would be able to do the stapling through a > http-proxy. OCSP stapling allows you to: - provide your own file to sta

Re: ocsp-stapling through http proxy?

Am 2016-10-13 13:16, schrieb Reinis Rozitis: It would be cool if nginx would be able to do the stapling through a http- proxy. Technically you could just "override" (via /etc/hosts or if you have your own dns service) your ssl's provider ocsp ip to your own proxy which will forward then the re

RE: ocsp-stapling through http proxy?

> It would be cool if nginx would be able to do the stapling through a http- > proxy. Technically you could just "override" (via /etc/hosts or if you have your own dns service) your ssl's provider ocsp ip to your own proxy which will forward then the requests to the original server. p.s. in thi

ocsp-stapling through http proxy?

Hi, we have been informed by our CA that they will be moving their OCSP-servers to "the cloud" - it was a fixed set of IPs before. These fixed sets could relatively easily be entered as firewall rules (and hosts-file entries, should DNS-resolution be unavailable). Of course, they could as easil

Re: How to enable OCSP stapling when default server is self-signed?

ion that I've run into this issue as well when > > trying to > > > enable OCSP stapling, where I have a default_deny SSL server that > > has a > > > self-signed certificate where I don't want to use OCSP stapling, and > > other > > > actual serv

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin Wrote: --- > Hello! > > On Wed, Sep 28, 2016 at 12:44:45PM -0400, hotwirez wrote: > > [...] > > > I wanted to mention that I've run into this issue as well when > trying to > > enable OCSP sta

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Wed, Sep 28, 2016 at 12:44:45PM -0400, hotwirez wrote: [...] > I wanted to mention that I've run into this issue as well when trying to > enable OCSP stapling, where I have a default_deny SSL server that has a > self-signed certificate where I don't want to use

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin Wrote: --- > Hello! > > On Sun, Apr 12, 2015 at 12:21:19PM -0400, numroo wrote: > > > >> Yes, I ran the s_client command multiple times to account for the > nginx > > >> responder delay. I w

Re: Ocsp stapling

I'm also seeing this, in nginx 1.8.0. I have several vhosts using SSL, but only one using OCSP stapling. If I disable all the other servers using SSL then OCSP stapling works. If this is by design then it should be mentioned on the documentation page for the SSL module[0]. Regards, Ala

Re: OCSP stapling: automatic updates

; > How would you diagnose and solve this problem? OCSP responses are re-requested by nginx after 1 hour, older responses may be returned only if there are no requests for OCSP stapling for a long time. If you consistently see an expired response - this likely means that it's what

OCSP stapling: automatic updates

Hello, nginx is not updating the ocsp response cache: This Update: Sep 5 08:36:32 2015 GMT Next Update: Sep 7 08:36:32 2015 GMT It is 16:09, so the cache is 8h behind. How would you diagnose and solve this problem? A related question is the duration of the cache. The local server

Re: Ocsp stapling

Update; it all works now. once i enabled ocsp stapling for ALL of my virtual domains, they then all began reporting correct results. - fabe On 2015-08-23 09:55, Fabian Santiago wrote: Thanks. It does. Test produces no results. Not working on ssllabs (no result). I'm clueless.

Re: Ocsp stapling

Thanks. It does. Test produces no results. Not working on ssllabs (no result). I'm clueless. I've seen mention out on the web about making sure you define ocsp for the default site or none else will work. I also make use of sni as I only have one ip address. I have no truly "default" site

Re: Ocsp stapling

Config files seems to be OK. Just make sure "ssl_trusted_certificate" contais the intermediate & root certificates (in that order from top to bottom). You can test with the following command: echo QUIT | openssl s_client -connect yourhost.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:'

Re: Ocsp stapling

Sure, here is the relevant portion of my virtual hosts config: server { listen 443 ssl; server_name ; client_max_body_size 64m; client_body_timeout 60; access_log /var/log/nginx/.; error_log /var/log/nginx/.; root /var/www/html/rc/; index index.html index.php; ssl_protocols TLSv

Re: Ocsp stapling

I have been using Nginx 1.8.X with ocsp stabling for a couple of weeks and it seems to be fine. Please send your config files, it may help... Posted at Nginx Forum: http://forum.nginx.org/read.php?2,261177,261181#msg-261181 ___ nginx mailing list nginx

Ocsp stapling

I have my nginx virtual host set to enable ocsp stapling but it doesn't actually do it. Ssllabs testing reports no. OpenSSL cli testing reports nothing. Nginx v1.8.0 Centos 6.7 64bit OpenSSL 1.0.1e I only have the ocsp config on one domain for testing. Any thoughts? Thanks. --

Re: OCSP stapling for client certificates

Hello! On Sun, Jun 28, 2015 at 12:20:06PM -0400, prozit wrote: > Actually, I had the same questions. > Is this something that's available by now, or is it in the pipeline of any > new release of Nginx or will it never be? > > I'm just asking since I believe this might be a good feature to add si

Re: OCSP stapling for client certificates

Hi, Actually, I had the same questions. Is this something that's available by now, or is it in the pipeline of any new release of Nginx or will it never be? I'm just asking since I believe this might be a good feature to add since CRL's could get very big when lots of certificate have been revoke

Re: How to enable OCSP stapling when default server is self-signed?

ogle and other search engines show that Firefox has been affected by > this OCSP problem for a long time. Perhaps they could start using GET > like everybody else? Umm...please don't hijack threads. Your issue(s) are not related to the main thread and are even partially off-topic for nginx. Hijacking threads is distracting for those who run threaded clients. My issue regarding OCSP stapling still remains unresolved. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,257833,258801#msg-258801 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Thu, May 07, 2015 at 02:28:12PM -0400, 173279834462 wrote: [...] > It turns out that the problem is "security.ssl.enable_ocsp_stapling", which > is > "true" by default. If I disable it, then FF loads the web sites. If I > re-enable it, > then FF complains again: > > > Secure Connect

Re: How to enable OCSP stapling when default server is self-signed?

> This depends on how your certificate is issued. If your certificate is issued directly by root CA certificate, then you don't need any extra certs here. If there are some intermediate certs, then you'll have to put them also. > When this directive was introduced, almost all certificates were issu

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Thu, May 07, 2015 at 11:54:21AM -0400, 173279834462 wrote: [...] > problem 1 > - > > nginx's "ssl_certificate" (note the singular) is truly a bundle of the > certificate and the intermediate. > In fact, if we remove the intermediate, we break the chain. > > The descript

Re: How to enable OCSP stapling when default server is self-signed?

> Note that this isn't really indicate anything: there are two forms of OCSP requests, POST and GET. And Firefox uses POST, while nginx uses GET. Given the fact that the responder was completely broken just a few days ago - it's quite possible that it's still broken for GETs in some cases. To comp

Re: How to enable OCSP stapling when default server is self-signed?

also temporarily compiled and enabled a debug build for a few minutes (the log file went nuts). I had ssl_stapling on and no verification. There was still no OCSP stapling response data or anything related to OCSP in the debug logs. Based on numroo's earlier response and since I was al

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Sun, Apr 12, 2015 at 12:21:19PM -0400, numroo wrote: > >> Yes, I ran the s_client command multiple times to account for the nginx > >> responder delay. I was testing OCSP stapling on just one of my domains. > >> Then I read that the 'default_server&#

Re: How to enable OCSP stapling when default server is self-signed?

>> Yes, I ran the s_client command multiple times to account for the nginx >> responder delay. I was testing OCSP stapling on just one of my domains. >> Then I read that the 'default_server' SSL server also has to have OCSP >> stapling enabled for vhost

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Wed, Apr 08, 2015 at 02:30:12AM -0400, bughunter wrote: > Maxim Dounin Wrote: > --- > > Hello! > > > > On Tue, Apr 07, 2015 at 12:26:23AM -0400, bughunter wrote: > > > > [...] > > > &g

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin Wrote: --- > Hello! > > On Tue, Apr 07, 2015 at 12:26:23AM -0400, bughunter wrote: > > [...] > > > > > So how do I enable OCSP stapling for my vhosts when the default > > > server cert >

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Tue, Apr 07, 2015 at 12:26:23AM -0400, bughunter wrote: [...] > > > So how do I enable OCSP stapling for my vhosts when the default > > server cert > > > is self-signed? This seems like a potential bug in the nginx SSL > > module. > > > &g

Re: How to enable OCSP stapling when default server is self-signed?

eliminates some ancient web browsers > but I > > don't care about those browsers. > > > > I want to enable OCSP stapling and it seems to be configured > correctly in my > > test vhost (everything else about SSL already works fine - I get an > A on the > > Q

Re: How to enable OCSP stapling when default server is self-signed?

Hello! On Sun, Apr 05, 2015 at 11:26:19PM -0400, bughunter wrote: > My web server is intentionally set up to only support virtual hosts and TLS > SNI. I know that the latter eliminates some ancient web browsers but I > don't care about those browsers. > > I want to enable

How to enable OCSP stapling when default server is self-signed?

My web server is intentionally set up to only support virtual hosts and TLS SNI. I know that the latter eliminates some ancient web browsers but I don't care about those browsers. I want to enable OCSP stapling and it seems to be configured correctly in my test vhost (everything else abou

Re: OCSP stapling for client certificates

Hello! On Wed, Aug 27, 2014 at 11:51:08AM -0500, Mohammad Dhedhi wrote: > Hi, > > I was able to setup nignx with client certificate authentication and OCSP > stapling. I however noticed that OCSP is used only for the nginx server ssl > certificate. > > It does not us

OCSP stapling for client certificates

Hi, I was able to setup nignx with client certificate authentication and OCSP stapling. I however noticed that OCSP is used only for the nginx server ssl certificate. It does not use OCSP for validating client certificates to see if a client is using a revoked certificate or not. Is ssl_crl the

Re: Issue with OCSP stapling when server certificate has been revoked by CA

"good" as specified here: > > http://tools.ietf.org/html/rfc6960#section-2.2 > > > I'm not sure I understand why is it good idea not to tell the client that > > the certificate is known and has been revoked... the purpose (as I > > understand OCSP stap

Re: Issue with OCSP stapling when server certificate has been revoked by CA

do you mean "positive"? i.e. "we have verified that the > certificate is OK and valid"? I mean "good" as specified here: http://tools.ietf.org/html/rfc6960#section-2.2 > I'm not sure I understand why is it good idea not to tell the client that > the cert

Re: Issue with OCSP stapling when server certificate has been revoked by CA

not to tell the client that the certificate is known and has been revoked... the purpose (as I understand OCSP stapling) is to verify the cert is OK. Wouldn't returning no-response to a client might cause it to think it may be an intermittent issue with accessing OCSP, and thus "soft

Re: Issue with OCSP stapling when server certificate has been revoked by CA

wn issue, and a link > to a relevant resource would be appreciated in such a case. > > I'm using Nginx as a reverse HTTP proxy to Tomcat, primarily for the > purpose of doing OCSP stapling. > > When Nginx starts for the first time, and there's no cached OCSP res

Issue with OCSP stapling when server certificate has been revoked by CA

using Nginx as a reverse HTTP proxy to Tomcat, primarily for the purpose of doing OCSP stapling. When Nginx starts for the first time, and there's no cached OCSP response, the first client to try an OCSP will fail; I understand that this is by design, and I've overcome it by simply 

Re: SSL OCSP stapling won't enable

Thanks so much, that worked perfectly using http://pastebin.com/gnWDSQ8Z. Danke! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,245528,245598#msg-245598 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: SSL OCSP stapling won't enable

To add a bit more info, I see your site is using a Go Daddy G2 (SHA2) cert. In that case, here is the intermediate/root chain you'll want to use as ssl_trusted_cetificate. C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate

Re: SSL OCSP stapling won't enable

This configuration is working for me. Perhaps nginx cannot verify the OCSP response with the bundle in /etc/pki/tls/certs/ca-bundle.trust.crt ? In my ssl_trusted_certificate file, I have these certificates, in order. C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority C

Re: SSL OCSP stapling won't enable

Steve, Yeah, I am getting OCSP response: no response sent. Should I try ssl_stapling_verify off; Any other ideas? Thanks. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,245528,245549#msg-245549 ___ nginx mailing list nginx@nginx.org http://

Re: SSL OCSP stapling won't enable

pling_verify off;`I can get OCSP stapling to work on > my setup. In my experience helps to (re)load the page a few times before > testing with SSLLabs to give the server time to fetch the OCSP response. > > Best regards > MacLemon > > On 14.12.2013, at 08:06, justin wrote:

Re: SSL OCSP stapling won't enable

Only when I set `ssl_stapling_verify off;`I can get OCSP stapling to work on my setup. In my experience helps to (re)load the page a few times before testing with SSLLabs to give the server time to fetch the OCSP response. Best regards MacLemon On 14.12.2013, at 08:06, justin wrote

SSL OCSP stapling won't enable

According to ssllabs.com SSL OCSP stapling is not enabled, even though I have the following in my http block: ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.trust.crt; resolver 8.8.4.4 8.8.8.8 valid=600s; resolver_timeout 15s; Any idea why

Re: Problem with TLS handshake in some browsers when OCSP stapling enabled

Hello! On Thu, Dec 12, 2013 at 11:59:26AM +0400, kyprizel wrote: > Hi, > we got a problem with OCSP stapling. > > During the handshake some browsers send TLS extension "certificate status" > with more than 5 bytes in it. > In Nginx error_log it looks l

Problem with TLS handshake in some browsers when OCSP stapling enabled

Hi, we got a problem with OCSP stapling. During the handshake some browsers send TLS extension "certificate status" with more than 5 bytes in it. In Nginx error_log it looks like: [crit] 8721#0: *35 SSL_do_handshake() failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN