AnsweredAssumed Answered

Can't get OCSP stapling to work, despite openssl working fine

Question asked by Richard Fussenegger on Dec 27, 2013
Latest reply on Jan 5, 2017 by Edwin Grubbs

Hi there,

 

as you can see on the SSL report of my site OSCP stapling is reported as not working: https://www.ssllabs.com/ssltest/analyze.html?d=movlib.org

 

If I run the following command on my server everything looks good: openssl s_client -connect movlib.org:443 -tls1 -tlsextdebug -status -CApath /etc/ssl/certs/

 

Here's the full output:

 

CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0001 - TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "status request" (id=5), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01                                                .
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 C = AT, CN = www.movlib.org, emailAddress = webmaster@movlib.org
verify return:1
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN = StartCom Class 1 Server OCSP Signer
    Produced At: Dec 27 12:52:24 2013 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 6568874F40750F016A3475625E1F5C93E5A26D58
      Issuer Key Hash: EB4234D098B0AB9FF41B6B08F7CC642EEF0E2C45
      Serial Number: 0A7629
    Cert Status: good
    This Update: Dec 27 12:52:24 2013 GMT
    Next Update: Dec 29 12:52:24 2013 GMT

    Signature Algorithm: sha1WithRSAEncryption
         02:43:cd:9f:68:97:7b:dd:f2:2e:64:c1:4e:f6:73:3c:0f:9f:
         01:67:ae:56:52:74:50:7c:c8:19:5a:b5:05:23:3c:e0:ef:9e:
         a1:9b:bf:27:c7:48:aa:0f:65:c2:3c:de:dd:29:23:ae:3d:b8:
         95:5c:cd:2c:e9:a4:44:94:09:05:54:1f:18:27:e4:b7:0b:84:
         b7:53:b4:99:8f:8b:95:25:1e:8d:01:de:ee:4d:42:2a:1e:d7:
         98:fe:b0:6f:08:ac:62:f4:1c:e9:02:ea:3a:bf:4b:81:71:ec:
         33:52:e0:7c:b5:6e:83:14:31:ff:8e:d9:0f:c3:bf:78:1c:ed:
         e0:41:58:2f:ae:e0:91:0d:93:da:a6:2a:06:74:34:72:83:4d:
         88:4d:1d:d9:9d:19:69:12:34:7c:9d:71:98:26:6d:9e:f2:4e:
         e3:4f:79:2a:b5:52:5a:7d:39:2b:7f:01:72:44:c8:77:08:21:
         39:3a:8c:13:4d:c2:fa:a1:e6:75:40:2a:35:8c:54:81:16:8c:
         86:e7:88:53:24:ba:f9:0c:f8:65:89:f3:7f:94:74:df:14:5e:
         b1:0a:59:b4:ca:f5:1d:8b:6a:4e:96:ee:2b:5a:cf:d8:0e:8e:
         ab:db:e4:22:91:a8:45:44:93:11:ec:64:59:a9:ab:27:64:ca:
         1e:8d:1c:33
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 862536 (0xd2948)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
        Validity
            Not Before: Nov 22 09:47:41 2013 GMT
            Not After : Jan  2 23:40:41 2014 GMT
        Subject: C=IL, O=StartCom Ltd. (Start Commercial Limited), CN=StartCom Class 1 Server OCSP Signer
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:56:1b:4c:45:31:87:17:17:80:84:e9:6e:17:
                    8d:f2:25:5e:18:ed:8d:8e:cc:7c:2b:7b:51:a6:c1:
                    c2:e6:bf:0a:a3:60:30:66:f1:32:fe:10:ae:97:b5:
                    0e:99:fa:24:b8:3f:c5:3d:d2:77:74:96:38:7d:14:
                    e1:c3:a9:b6:a4:93:3e:2a:c1:24:13:d0:85:57:0a:
                    95:b8:14:74:14:a0:bc:00:7c:7b:cf:22:24:46:ef:
                    7f:1a:15:6d:7e:a1:c5:77:fc:5f:0f:ac:df:d4:2e:
                    b0:f5:97:49:90:cb:2f:5c:ef:eb:ce:ef:4d:1b:dc:
                    7a:e5:c1:07:5c:5a:99:a9:31:71:f2:b0:84:5b:4f:
                    f0:86:4e:97:3f:cf:e3:2f:9d:75:11:ff:87:a3:e9:
                    43:41:0c:90:a4:49:3a:30:6b:69:44:35:93:40:a9:
                    ca:96:f0:2b:66:ce:67:f0:28:df:29:80:a6:aa:ee:
                    8d:5d:5d:45:2b:8b:0e:b9:3f:92:3c:c1:e2:3f:cc:
                    cb:db:e7:ff:cb:11:4d:08:fa:7a:6a:3c:40:4f:82:
                    5d:1a:0e:71:59:35:cf:62:3a:8c:7b:59:67:00:14:
                    ed:06:22:f6:08:9a:94:47:a7:a1:90:10:f7:fe:58:
                    f8:41:29:a2:76:5e:a3:67:82:4d:1c:3b:b2:fd:a3:
                    08:53
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                OCSP Signing, OCSP No Check
            X509v3 Subject Key Identifier:
                45:E0:A3:66:95:41:4C:5D:D4:49:BC:00:E3:3C:DC:DB:D2:34:3E:17
            X509v3 Authority Key Identifier:
                keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45

            X509v3 Issuer Alternative Name:
                URI:http://www.startssl.com/
    Signature Algorithm: sha1WithRSAEncryption
         83:cc:a4:49:73:6f:ee:c6:c8:64:52:0b:b1:f7:cd:7c:46:dc:
         fc:9e:96:6d:4e:8d:67:a8:4f:d3:da:ce:99:56:df:09:94:87:
         41:19:bc:01:4c:81:11:cc:bc:9f:a3:b3:1c:53:3e:d0:43:a1:
         c4:51:7a:c9:2e:1d:bc:94:af:42:68:dd:14:36:d7:10:04:70:
         72:4c:7c:44:de:ea:20:eb:c3:c5:15:e7:f1:8f:5e:2e:89:f8:
         9a:e6:4a:bd:cb:aa:fa:0c:22:f2:58:6b:1c:63:37:53:29:26:
         2d:93:2a:5c:79:9f:82:e4:50:22:2f:d3:a4:2c:1c:5c:16:4d:
         8e:f4:43:2a:d8:fe:65:4c:1d:36:8b:1e:44:09:ee:54:c5:6a:
         58:cf:37:90:ab:3e:3c:10:e6:bd:ab:2b:d8:a0:dc:cb:40:d2:
         6c:5f:2a:a4:e2:24:bc:7d:d4:98:99:cf:33:9b:74:6d:f2:18:
         71:24:90:78:fb:7e:a0:ed:1c:75:0b:0a:3f:35:48:05:f6:b8:
         c5:14:3e:c3:f6:f5:57:07:83:8f:eb:7c:17:89:a0:9d:aa:ef:
         69:24:a4:6b:06:b6:19:14:e8:13:ec:1d:c9:59:e9:97:9d:26:
         2f:30:4f:04:c6:58:a4:e8:6d:ce:bc:2d:45:14:a0:d3:10:22:
         96:14:31:5d
-----BEGIN CERTIFICATE-----
MIIEGTCCAwGgAwIBAgIDDSlIMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMxMTIyMDk0NzQx
WhcNMTQwMTAyMjM0MDQxWjBuMQswCQYDVQQGEwJJTDExMC8GA1UEChMoU3RhcnRD
b20gTHRkLiAoU3RhcnQgQ29tbWVyY2lhbCBMaW1pdGVkKTEsMCoGA1UEAxMjU3Rh
cnRDb20gQ2xhc3MgMSBTZXJ2ZXIgT0NTUCBTaWduZXIwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC5VhtMRTGHFxeAhOluF43yJV4Y7Y2OzHwre1GmwcLm
vwqjYDBm8TL+EK6XtQ6Z+iS4P8U90nd0ljh9FOHDqbakkz4qwSQT0IVXCpW4FHQU
oLwAfHvPIiRG738aFW1+ocV3/F8PrN/ULrD1l0mQyy9c7+vO700b3HrlwQdcWpmp
MXHysIRbT/CGTpc/z+MvnXUR/4ej6UNBDJCkSTowa2lENZNAqcqW8CtmzmfwKN8p
gKaq7o1dXUUriw65P5I8weI/zMvb5//LEU0I+npqPEBPgl0aDnFZNc9iOox7WWcA
FO0GIvYImpRHp6GQEPf+WPhBKaJ2XqNngk0cO7L9owhTAgMBAAGjgaAwgZ0wCQYD
VR0TBAIwADALBgNVHQ8EBAMCA6gwHgYDVR0lBBcwFQYIKwYBBQUHAwkGCSsGAQUF
BzABBTAdBgNVHQ4EFgQUReCjZpVBTF3USbwA4zzc29I0PhcwHwYDVR0jBBgwFoAU
60I00Jiwq5/0G2sI98xkLu8OLEUwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFy
dHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQCDzKRJc2/uxshkUgux9818Rtz8
npZtTo1nqE/T2s6ZVt8JlIdBGbwBTIERzLyfo7McUz7QQ6HEUXrJLh28lK9CaN0U
NtcQBHByTHxE3uog68PFFefxj14uifia5kq9y6r6DCLyWGscYzdTKSYtkypceZ+C
5FAiL9OkLBxcFk2O9EMq2P5lTB02ix5ECe5UxWpYzzeQqz48EOa9qyvYoNzLQNJs
Xyqk4iS8fdSYmc8zm3Rt8hhxJJB4+36g7Rx1Cwo/NUgF9rjFFD7D9vVXB4OP63wX
iaCdqu9pJKRrBrYZFOgT7B3JWemXnSYvME8Exlik6G3OvC1FFKDTECKWFDFd
-----END CERTIFICATE-----
======================================
---
Certificate chain
 0 s:/C=AT/CN=www.movlib.org/emailAddress=webmaster@movlib.org
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHNjCCBh6gAwIBAgIDCnYpMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMwNTIyMTkwNDEy
WhcNMTQwNTI0MDAyMjUwWjBLMQswCQYDVQQGEwJBVDEXMBUGA1UEAxMOd3d3Lm1v
dmxpYi5vcmcxIzAhBgkqhkiG9w0BCQEWFHdlYm1hc3RlckBtb3ZsaWIub3JnMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA59qwI4ImGmx/Grw924ws8SH2
EJqL02TAR6YAJEfLA6b+uEx0vCIhEBQYJg/1V+SXib8iDCuBDCub+ealuT+BFCWg
t+R1r5QPg8TTScThI09h3eHhz3wBf/z/p2PqQxtJtwgrCsvUd9nqMY1K5r97bGHC
PTtwMRHcMd6d+xJ9QkSnidGI94ngyTYcweW4HmdEMgNdpq2UoC30Z571+5kT6w36
/JfQ+lalj/S0OMioqzgNncWQj9nliBBzjsLRZGyfT50wdT6hWxK8W6RP/dnx7vJF
G58C+LsyemhGvCPBRygqTqnWaTNuI1bVv3+oBhl3mL3X775FMOXXQFco75hLcLBt
e7ZqXVmoPk1pkBzdtKH8iCmHfYW6fYJdkNHMLRS75X+dmNgLBezRZXC9/y6BNyYi
IB1dU04BvKQbExmhubn7pv0aaS+68YnU1o3fB37D97lZrjYWxzyg0r9+aPmYGX57
++OfbA9YQNk54zisYxuHV/PIXifiJsV70j4uLKuof3CcTQzk8BQk9JXZn7fqH9KT
B9IXTi2sKKtWdKo7bga2mCkhj9us2MBzuJ4oEd1xXjL/fPlq7PI6PqiS6TmyxhOP
O/58x1tfizHSzUktPZDvmX+/BJ2K183xZr6cKuTaIwWSQ8Cn5/STerEklf/WKHyI
9jHKoFZRnUZZxd+bCesCAwEAAaOCAt8wggLbMAkGA1UdEwQCMAAwCwYDVR0PBAQD
AgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBRc1MK8HP6aWAKZ/Y0B
biCRZUAdUTAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAlBgNVHREE
HjAcgg53d3cubW92bGliLm9yZ4IKbW92bGliLm9yZzCCAVYGA1UdIASCAU0wggFJ
MAgGBmeBDAECATCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcCARYiaHR0
cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUHAgIwgeow
JxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMg
Y2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENsYXNzIDEg
VmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGlj
eSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wNQYDVR0f
BC4wLDAqoCigJoYkaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0MS1jcmwuY3Js
MIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFy
dHNzbC5jb20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2EwQgYIKwYBBQUHMAKGNmh0dHA6
Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuc2VydmVyLmNhLmNy
dDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcN
AQELBQADggEBAByGH/A1qPA7/9bTnX4qPCtIPp6jvlLrjS2BOTn/7Pz6GKX4PMbr
Y6TtP/gIwgxgtgqqFMntbfoXiDWca41cJ0IFHxjYUKCwgUAiU1R8Pk3e9Z2N5GU3
7u9uQZLmfvcw9OUhdaoTELT6h1iJUGKw1E3K2i4Zy75sfEjlyetPbbsNZJL3h0TW
P7YYfnY3M48kjHsIuu9e6rgif0hjn5C1S7y9oA1NIcfb+I8vPy8jUxJo2nBULJLd
g/mssfhuVCOM0+dr5Jcyq1fZByVZgDd0DiN4qozJyRfxQ2f2/2Qq1M1XSh2NCSs5
35vhEkv0TT7r6HQLLGl13mHFHycfkbOxvmA=
-----END CERTIFICATE-----
subject=/C=AT/CN=www.movlib.org/emailAddress=webmaster@movlib.org
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6024 bytes and written 401 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 3228C7FE86723EA1172CD7E4F3C090A13343F3669B604853D9B6FAF98327053B
    Session-ID-ctx:
    Master-Key: 9467AED12D82C8F1DB9FED34F0216A41494DAEE6F0F02A19EF24651F0C8F75F419001239A7211B35A8C710F188AFF260
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 128 (seconds)
    TLS session ticket:
    0000 - fa 0f 8c 7a d4 bc 54 8a-af 81 7c a6 9a 80 16 f0   ...z..T...|.....
    0010 - 3f 37 8b f8 38 76 f2 20-c7 be 90 2e be a4 b9 a4   ?7..8v. ........
    0020 - 42 35 19 46 65 99 a9 0a-e6 43 e2 92 2a 61 c3 1e   B5.Fe....C..*a..
    0030 - 2b 46 d4 09 43 a7 92 f8-de af 69 9c 4a 6e b5 78   +F..C.....i.Jn.x
    0040 - 35 80 60 93 16 29 d1 2b-30 ca 48 70 3e db 53 4e   5.`..).+0.Hp>.SN
    0050 - 74 17 2f 13 1f 38 44 54-d2 fd 9e 67 7f 2d 21 fc   t./..8DT...g.-!.
    0060 - 7a ca a9 7a 8f 6e 5d 89-84 b7 b6 fa 64 06 ec 64   z..z.n].....d..d
    0070 - 85 5a f0 d5 25 6e d5 9f-28 6b c4 92 80 a3 df 93   .Z..%n..(k......
    0080 - 91 87 f7 8e 02 4c 94 63-fa db 3a 3d 5b 59 fd f1   .....L.c..:=[Y..
    0090 - cb de 1d 1b cb 70 0d 41-12 22 f8 9e 86 9a c2 b0   .....p.A."......

    Start Time: 1388168897
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
closed

 

My nginx configuration is straight forward:

 

# Use a public DNS to resolve OCSP responder hostnames. The answer stays valid for a complete day.
#
# LINK: http://pcsupport.about.com/od/tipstricks/a/free-public-dns-servers.htm
resolver 209.244.0.3 209.244.0.4 valid=86400;

# Enable OCSP stapling.
#
# LINK: http://tools.ietf.org/html/rfc4366#section-3.6
# LINK: http://tools.ietf.org/html/rfc6066
ssl_stapling            on;
ssl_stapling_verify     off;
ssl_stapling_responder  http://ocsp.startssl.com/sub/class1/server/ca/;
ssl_trusted_certificate ssl/ca-bundle.pem;

 

Changing ssl_stapling_verify to on doesn't change anything.

 

Any ideas?

Outcomes