Setting up OCSP Stapling in Nginx?

S

serious9112015-04-16 10:28:23

linux

serious911, 2015-04-16 10:28:23

Hello.
I received an SSL certificate from the Chinese company WoSign according to instructions from Habr. I installed the certificate on a bunch of Ubuntu + Nginx + Apache, and judging by the check on ssllabs, everything seems to be working.
nginx config for site:

server {
listen 80;
listen 443 ssl;
server_name site.net www.site.net;
access_log /var/www/public_html/site.net/logs/nginx_access.log;
error_log /var/www/public_html/site.net/logs/nginx_error.log;
access_logoff;
#ssl on;
ssl_certificate /var/www/public_html/ssl/site.net.crt;
ssl_certificate_key /var/www/public_html/ssl/site.net.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers "RC4:HIGH:!aNULL:!MD5:!kEDH";
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
#OCSP
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /var/www/public_html/ssl/private/ca-certs.pem;
#ssl_stapling_responder ocsp6.wosign.com/ca6/server1/free;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
................
location / {
proxy_pass 127.0.0.1:8080/;
### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $remote_addr;
proxy_set_header Host $host;
proxy_connect_timeout 60;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_redirect off;
proxy_set_header Connection close;
proxy_pass_header Content-Type;
proxy_pass_header Content-Disposition;
proxy_pass_header Content-Length;
}
}

To avoid lengthy requests for certificate confirmation in China, you also need to configure OCSP Stapling. I did the settings as described here , here and here . Updated even nginx to versions 1.6.4 (stable) and 1.7.10 (latest). I also tried to screw the 1st version of the bike as described here . But nothing helps...
The command does not display anything on the console screen:

echo QUIT | openssl s_client -connect site.net:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

Here I get the following response on OCSP:

And here is this:

There are no errors in the /var/www/public_html/site.net/logs/nginx_error.log logs either on OCSP.
Can you please tell me how to properly configure OCSP in this case?
Thank you.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

P

polozad, 2015-04-16
@polozad

ssl_trusted_certificate /var/www/public_html/ssl/private/ca-certs.pem;

It's just five. Did you put the trust certificate in public?

S

serious911, 2015-04-16
@serious911

new details added :)
just set up OCSP for RapidSSL certificates - everything works fine (got OCSP stapling = Yes on SSL Labs), but not with WoSign. Probably the problem is in their certificates.
There is one more thing... After successfully configuring OCSP RapidSSL on one domain, the command:
openssl s_client -connect site1.net:443 -tls1 -tlsextdebug -status
returns the same OCSP Data response for different domains with different certificates, but on a server with the same IP.
OCSP Data for WoSign:
OCSP response: no response sent
depth=3 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0