https://trac.nginx.org/nginx/ticket/1534
> On Dec 4, 2019, at 9:31 AM, ramirezc wrote:
>
> I have the same question ast itplayer: Other than CRL, any other alternative
> way we can do OCSP validation in the pipeline?
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,252893,28640
I have the same question ast itplayer: Other than CRL, any other alternative
way we can do OCSP validation in the pipeline?
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,252893,286405#msg-286405
___
nginx mailing list
nginx@nginx.org
http:/
Other than CRL, any other alternative way we can do OCSP validation in the
pipeline?
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,252893,283766#msg-283766
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/ngi
Am 01.10.18 um 15:43 schrieb Bernardo Donadio:
> I've restored the 1.15.4 package and have been making some requests.
> Some of them are correctly stapled, others do not. There's no restart
> between tests.
maybe you run multiple threads and for each thread there is one first request?
> I'm no
> Indeed, with further tests I think that the stapling is working...
> sometimes.
>
>
> I'm not using the staple file, though. Is this behavior expected without such
> configuration? Also, I've enabled ssl_early_data.
Each nginx worker has it's own cache.
Depending on your worker_processes you m
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 10/1/18 10:04 AM, A. Schulze wrote:
> Did you try to measure twice?
Indeed, with further tests I think that the stapling is working...
sometimes.
I've restored the 1.15.4 package and have been making some requests.
Some of them are correctly sta
Bernardo Donadio:
Hi.
I've noticed that OCSP stapling was broken by 1.15.4, as you may see below:
-- nginx 1.15.4 with OpenSSL 1.1.1 final
$ openssl s_client -connect bcdonadio.com:443 -tlsextdebug -status
CONNECTED(0003)
TLS server extension "renegotiation
Hi.
I've noticed that OCSP stapling was broken by 1.15.4, as you may see below:
-- nginx 1.15.4 with OpenSSL 1.1.1 final
$ openssl s_client -connect bcdonadio.com:443 -tlsextdebug -status
CONNECTED(0003)
TLS server extension "renegotiation info" (id=65281),
10.01.2018, 03:02, "Maxim Dounin" :Hello!On Mon, Jan 08, 2018 at 11:38:56PM +1300, Thomas Valentine wrote: I've spent a bit of time setting up my server with SSL, and checkingfor OCSP stapling to be working - couldn't work out why it wasn'tsending the OCS
Hello!
On Mon, Jan 08, 2018 at 11:38:56PM +1300, Thomas Valentine wrote:
>I've spent a bit of time setting up my server with SSL, and checking
> for OCSP stapling to be working - couldn't work out why it wasn't
>sending the OCSP reply but it's as I w
I've spent a bit of time setting up my server with SSL, and checking for OCSP stapling to be working - couldn't work out why it wasn't sending the OCSP reply but it's as I was querying the server as the first hit before it had primed the response. This isn't mentioned in
Hello!
On Tue, Sep 26, 2017 at 05:24:26PM +0200, Grzegorz Kulewski wrote:
> W dniu 26.09.2017 15:20, Maxim Dounin pisze:
> > Hello!
> >
> > On Tue, Sep 26, 2017 at 03:48:57AM +0200, Grzegorz Kulewski
> > wrote:
> >
> >> Is resolver in nginx st
W dniu 26.09.2017 15:20, Maxim Dounin pisze:
> Hello!
>
> On Tue, Sep 26, 2017 at 03:48:57AM +0200, Grzegorz Kulewski wrote:
>
>> Is resolver in nginx still needed for OCSP stapling?
>
> Yes.
>
>> I am getting a warning from nginx if resolver is not suppl
Hello!
On Tue, Sep 26, 2017 at 03:48:57AM +0200, Grzegorz Kulewski wrote:
> Is resolver in nginx still needed for OCSP stapling?
Yes.
> I am getting a warning from nginx if resolver is not supplied
> but at the same time both Qualys and openssl s_client output
> suggest OCSP
Grzegorz Kulewski:
Hello,
Is resolver in nginx still needed for OCSP stapling?
I am getting a warning from nginx if resolver is not supplied but at
the same time both Qualys and openssl s_client output suggest OCSP
stapling is working. Strange
There are two options
- let nginx fetch
Hello,
Is resolver in nginx still needed for OCSP stapling?
I am getting a warning from nginx if resolver is not supplied but at the same
time both Qualys and openssl s_client output suggest OCSP stapling is working.
Strange.
--
Grzegorz Kulewski
g...@leniwiec.biz
+48 663 92 88 95
Hello!
On Tue, Nov 08, 2016 at 12:36:13PM +0100, Christian Cioni wrote:
> Hi,
>
> on my server have activated a SSL in SNI configuration without problems, but
> for the OCSP stapling configurations, receive always no response sent
>
>
>
> On m
configuration without problems,
> but for the OCSP stapling configurations, receive always “no response sent“
>
>
>
> On my configuration have add:
>
> ssl_trusted_certificate /etc/nginx/ssl/CA.pem;
>
> ssl_stapling on;
>
> ssl_stapling_verify on;
Hi,
on my server have activated a SSL in SNI configuration without problems, but
for the OCSP stapling configurations, receive always no response sent
On my configuration have add:
ssl_trusted_certificate /etc/nginx/ssl/CA.pem;
ssl_stapling on;
ssl_stapling_verify on;
What can I
Am 2016-10-13 16:13, schrieb Reinis Rozitis:
You mean a transparent proxy?
In our case, this is not possible.
It's not really transparent.
As far as I understand you have a problem with opening outgoing
traffic to _random_ destination but you are fine if such traffic is
pushed through some pro
You mean a transparent proxy?
In our case, this is not possible.
It's not really transparent.
As far as I understand you have a problem with opening outgoing traffic to
_random_ destination but you are fine if such traffic is pushed through some
proxy server (which in general means that the p
- use an explicitly configured OCSP responder with the
ssl_stapling_responder directive. It allows to configure your
own OCSP responder at a fixed address, and then proxy requests to
the real responder. See http://nginx.org/r/ssl_stapling_responder
for details.
Ohh totally have looked
t, which is kind of exactly the opposite of what I want to do.
> And that's ignoring for a moment the necessity to allow outbound DNS...
>
> It would be cool if nginx would be able to do the stapling through a
> http-proxy.
OCSP stapling allows you to:
- provide your own file to sta
Am 2016-10-13 13:16, schrieb Reinis Rozitis:
It would be cool if nginx would be able to do the stapling through a
http-
proxy.
Technically you could just "override" (via /etc/hosts or if you have
your own dns service) your ssl's provider ocsp ip to your own proxy
which will forward then the re
> It would be cool if nginx would be able to do the stapling through a http-
> proxy.
Technically you could just "override" (via /etc/hosts or if you have your own
dns service) your ssl's provider ocsp ip to your own proxy which will forward
then the requests to the original server.
p.s. in thi
Hi,
we have been informed by our CA that they will be moving their
OCSP-servers to "the cloud" - it was a fixed set of IPs before.
These fixed sets could relatively easily be entered as firewall rules
(and hosts-file entries, should DNS-resolution be unavailable).
Of course, they could as easil
ion that I've run into this issue as well when
> > trying to
> > > enable OCSP stapling, where I have a default_deny SSL server that
> > has a
> > > self-signed certificate where I don't want to use OCSP stapling, and
> > other
> > > actual serv
Maxim Dounin Wrote:
---
> Hello!
>
> On Wed, Sep 28, 2016 at 12:44:45PM -0400, hotwirez wrote:
>
> [...]
>
> > I wanted to mention that I've run into this issue as well when
> trying to
> > enable OCSP sta
Hello!
On Wed, Sep 28, 2016 at 12:44:45PM -0400, hotwirez wrote:
[...]
> I wanted to mention that I've run into this issue as well when trying to
> enable OCSP stapling, where I have a default_deny SSL server that has a
> self-signed certificate where I don't want to use
Maxim Dounin Wrote:
---
> Hello!
>
> On Sun, Apr 12, 2015 at 12:21:19PM -0400, numroo wrote:
>
> > >> Yes, I ran the s_client command multiple times to account for the
> nginx
> > >> responder delay. I w
I'm also seeing this, in nginx 1.8.0. I have several vhosts using SSL, but
only one using OCSP stapling. If I disable all the other servers using SSL
then OCSP stapling works. If this is by design then it should be mentioned
on the documentation page for the SSL module[0].
Regards,
Ala
;
> How would you diagnose and solve this problem?
OCSP responses are re-requested by nginx after 1 hour, older
responses may be returned only if there are no requests for OCSP
stapling for a long time. If you consistently see an expired
response - this likely means that it's what
Hello,
nginx is not updating the ocsp response cache:
This Update: Sep 5 08:36:32 2015 GMT
Next Update: Sep 7 08:36:32 2015 GMT
It is 16:09, so the cache is 8h behind.
How would you diagnose and solve this problem?
A related question is the duration of the cache.
The local server
Update;
it all works now. once i enabled ocsp stapling for ALL of my virtual
domains, they then all began reporting correct results.
- fabe
On 2015-08-23 09:55, Fabian Santiago wrote:
Thanks.
It does.
Test produces no results.
Not working on ssllabs (no result).
I'm clueless.
Thanks.
It does.
Test produces no results.
Not working on ssllabs (no result).
I'm clueless. I've seen mention out on the web about making sure you define
ocsp for the default site or none else will work. I also make use of sni as I
only have one ip address.
I have no truly "default" site
Config files seems to be OK. Just make sure "ssl_trusted_certificate"
contais the intermediate & root certificates (in that order from top to
bottom).
You can test with the following command:
echo QUIT | openssl s_client -connect yourhost.com:443 -status 2> /dev/null
| grep -A 17 'OCSP response:'
Sure,
here is the relevant portion of my virtual hosts config:
server {
listen 443 ssl;
server_name ;
client_max_body_size 64m;
client_body_timeout 60;
access_log /var/log/nginx/.;
error_log /var/log/nginx/.;
root /var/www/html/rc/;
index index.html index.php;
ssl_protocols TLSv
I have been using Nginx 1.8.X with ocsp stabling for a couple of weeks and
it seems to be fine. Please send your config files, it may help...
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,261177,261181#msg-261181
___
nginx mailing list
nginx
I have my nginx virtual host set to enable ocsp stapling but it doesn't
actually do it. Ssllabs testing reports no. OpenSSL cli testing reports
nothing.
Nginx v1.8.0
Centos 6.7 64bit
OpenSSL 1.0.1e
I only have the ocsp config on one domain for testing. Any thoughts? Thanks.
--
Hello!
On Sun, Jun 28, 2015 at 12:20:06PM -0400, prozit wrote:
> Actually, I had the same questions.
> Is this something that's available by now, or is it in the pipeline of any
> new release of Nginx or will it never be?
>
> I'm just asking since I believe this might be a good feature to add si
Hi,
Actually, I had the same questions.
Is this something that's available by now, or is it in the pipeline of any
new release of Nginx or will it never be?
I'm just asking since I believe this might be a good feature to add since
CRL's could get very big when lots of certificate have been revoke
ogle and other search engines show that Firefox has been affected by
> this OCSP problem for a long time. Perhaps they could start using GET
> like everybody else?
Umm...please don't hijack threads. Your issue(s) are not related to the
main thread and are even partially off-topic for nginx. Hijacking threads
is distracting for those who run threaded clients.
My issue regarding OCSP stapling still remains unresolved.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,257833,258801#msg-258801
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Hello!
On Thu, May 07, 2015 at 02:28:12PM -0400, 173279834462 wrote:
[...]
> It turns out that the problem is "security.ssl.enable_ocsp_stapling", which
> is
> "true" by default. If I disable it, then FF loads the web sites. If I
> re-enable it,
> then FF complains again:
>
> > Secure Connect
> This depends on how your certificate is issued. If your certificate is
issued directly by root CA certificate, then you don't need any extra certs
here. If there are some intermediate certs, then you'll have to put them
also.
> When this directive was introduced, almost all certificates were issu
Hello!
On Thu, May 07, 2015 at 11:54:21AM -0400, 173279834462 wrote:
[...]
> problem 1
> -
>
> nginx's "ssl_certificate" (note the singular) is truly a bundle of the
> certificate and the intermediate.
> In fact, if we remove the intermediate, we break the chain.
>
> The descript
> Note that this isn't really indicate anything: there are two forms of OCSP
requests, POST and GET. And Firefox uses POST, while nginx uses GET. Given
the fact that the responder was completely broken just a few days ago - it's
quite possible that it's still broken for GETs in some cases.
To comp
also temporarily compiled and enabled a debug build for a
few minutes (the log file went nuts). I had ssl_stapling on and no
verification. There was still no OCSP stapling response data or anything
related to OCSP in the debug logs.
Based on numroo's earlier response and since I was al
Hello!
On Sun, Apr 12, 2015 at 12:21:19PM -0400, numroo wrote:
> >> Yes, I ran the s_client command multiple times to account for the nginx
> >> responder delay. I was testing OCSP stapling on just one of my domains.
> >> Then I read that the 'default_server
>> Yes, I ran the s_client command multiple times to account for the nginx
>> responder delay. I was testing OCSP stapling on just one of my domains.
>> Then I read that the 'default_server' SSL server also has to have OCSP
>> stapling enabled for vhost
Hello!
On Wed, Apr 08, 2015 at 02:30:12AM -0400, bughunter wrote:
> Maxim Dounin Wrote:
> ---
> > Hello!
> >
> > On Tue, Apr 07, 2015 at 12:26:23AM -0400, bughunter wrote:
> >
> > [...]
> >
> &g
Maxim Dounin Wrote:
---
> Hello!
>
> On Tue, Apr 07, 2015 at 12:26:23AM -0400, bughunter wrote:
>
> [...]
>
> > > > So how do I enable OCSP stapling for my vhosts when the default
> > > server cert
>
Hello!
On Tue, Apr 07, 2015 at 12:26:23AM -0400, bughunter wrote:
[...]
> > > So how do I enable OCSP stapling for my vhosts when the default
> > server cert
> > > is self-signed? This seems like a potential bug in the nginx SSL
> > module.
> >
> &g
eliminates some ancient web browsers
> but I
> > don't care about those browsers.
> >
> > I want to enable OCSP stapling and it seems to be configured
> correctly in my
> > test vhost (everything else about SSL already works fine - I get an
> A on the
> > Q
Hello!
On Sun, Apr 05, 2015 at 11:26:19PM -0400, bughunter wrote:
> My web server is intentionally set up to only support virtual hosts and TLS
> SNI. I know that the latter eliminates some ancient web browsers but I
> don't care about those browsers.
>
> I want to enable
My web server is intentionally set up to only support virtual hosts and TLS
SNI. I know that the latter eliminates some ancient web browsers but I
don't care about those browsers.
I want to enable OCSP stapling and it seems to be configured correctly in my
test vhost (everything else abou
Hello!
On Wed, Aug 27, 2014 at 11:51:08AM -0500, Mohammad Dhedhi wrote:
> Hi,
>
> I was able to setup nignx with client certificate authentication and OCSP
> stapling. I however noticed that OCSP is used only for the nginx server ssl
> certificate.
>
> It does not us
Hi,
I was able to setup nignx with client certificate authentication and OCSP
stapling. I however noticed that OCSP is used only for the nginx server ssl
certificate.
It does not use OCSP for validating client certificates to see if a client
is using a revoked certificate or not. Is ssl_crl the
"good" as specified here:
>
> http://tools.ietf.org/html/rfc6960#section-2.2
>
> > I'm not sure I understand why is it good idea not to tell the client that
> > the certificate is known and has been revoked... the purpose (as I
> > understand OCSP stap
do you mean "positive"? i.e. "we have verified that the
> certificate is OK and valid"?
I mean "good" as specified here:
http://tools.ietf.org/html/rfc6960#section-2.2
> I'm not sure I understand why is it good idea not to tell the client that
> the cert
not to tell the client that
the certificate is known and has been revoked... the purpose (as I
understand OCSP stapling) is to verify the cert is OK. Wouldn't returning
no-response to a client might cause it to think it may be an intermittent
issue with accessing OCSP, and thus "soft
wn issue, and a link
> to a relevant resource would be appreciated in such a case.
>
> I'm using Nginx as a reverse HTTP proxy to Tomcat, primarily for the
> purpose of doing OCSP stapling.
>
> When Nginx starts for the first time, and there's no cached OCSP res
using Nginx as a reverse HTTP proxy to Tomcat, primarily for the
purpose of doing OCSP stapling.
When Nginx starts for the first time, and there's no cached OCSP response,
the first client to try an OCSP will fail; I understand that this is by
design, and I've overcome it by simply
Thanks so much, that worked perfectly using http://pastebin.com/gnWDSQ8Z.
Danke!
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,245528,245598#msg-245598
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
To add a bit more info, I see your site is using a Go Daddy G2 (SHA2) cert.
In that case, here is the intermediate/root chain you'll want to use as
ssl_trusted_cetificate.
C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate
This configuration is working for me. Perhaps nginx cannot verify the OCSP
response with the bundle in /etc/pki/tls/certs/ca-bundle.trust.crt ? In my
ssl_trusted_certificate file, I have these certificates, in order.
C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification
Authority
C
Steve,
Yeah, I am getting OCSP response: no response sent. Should I try
ssl_stapling_verify off;
Any other ideas? Thanks.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,245528,245549#msg-245549
___
nginx mailing list
nginx@nginx.org
http://
pling_verify off;`I can get OCSP stapling to work on
> my setup. In my experience helps to (re)load the page a few times before
> testing with SSLLabs to give the server time to fetch the OCSP response.
>
> Best regards
> MacLemon
>
> On 14.12.2013, at 08:06, justin wrote:
Only when I set `ssl_stapling_verify off;`I can get OCSP stapling to work on my
setup. In my experience helps to (re)load the page a few times before testing
with SSLLabs to give the server time to fetch the OCSP response.
Best regards
MacLemon
On 14.12.2013, at 08:06, justin wrote
According to ssllabs.com SSL OCSP stapling is not enabled, even though I
have the following in my http block:
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.trust.crt;
resolver 8.8.4.4 8.8.8.8 valid=600s;
resolver_timeout 15s;
Any idea why
Hello!
On Thu, Dec 12, 2013 at 11:59:26AM +0400, kyprizel wrote:
> Hi,
> we got a problem with OCSP stapling.
>
> During the handshake some browsers send TLS extension "certificate status"
> with more than 5 bytes in it.
> In Nginx error_log it looks l
Hi,
we got a problem with OCSP stapling.
During the handshake some browsers send TLS extension "certificate status"
with more than 5 bytes in it.
In Nginx error_log it looks like:
[crit] 8721#0: *35 SSL_do_handshake() failed (SSL: error:0D0680A8:asn1
encoding routines:ASN1_CHECK_TLEN
71 matches
Mail list logo