AnsweredAssumed Answered

OCSP stapeling in nginx with gloablsign-certificate

Question asked by romanm on Mar 14, 2014
Latest reply on Mar 25, 2014 by romanm

Hi,

 

i'm using this nginx-configuration for my site:

 

server {

    listen       443;

    server_name  example.com;

 

    add_header Strict-Transport-Security max-age=63072000;

 

    ssl                  on;

    ssl_certificate      /etc/nginx/ssl/domain_crt_with_intermediate.crt;

    ssl_certificate_key  /etc/nginx/ssl/domain.key;

 

    ssl_session_cache    shared:SSL:10m;

    ssl_session_timeout  10m;

 

    ssl_prefer_server_ciphers On;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;   

 

    location / {

           root   /var/www/html;

        index  index.php index.html index.htm;

        try_files $uri $uri/ /index.php?q=$uri&$args;

    }

 

    location ~ \.php$ {

        include        fastcgi_params;

        fastcgi_pass   127.0.0.1:9000;

           fastcgi_index  index.php;

        fastcgi_param  SCRIPT_FILENAME  /var/www/html$fastcgi_script_name;

    }

 

    location ~ /\.ht {

        deny  all;

    }

}

 

and tried to activate OCSP stapeling.

 

I tried

    ssl_stapling on;

    ssl_stapling_verify on;

    ssl_trusted_certificate /etc/nginx/ssl/stapeling.trusted.crt;

    resolver 8.8.4.4 8.8.8.8 valid=300s;

    resolver_timeout 10s;

 

but it doesn't work.

 

I tried it with

openssl s_client -connect example.com:443 -tls1 -tlsextdebug -status

and got this result

.....

OCSP response: no response sent

.....

 

 

 

I thought, that the stapeling.trusted.crt is not correct and found a way to get the right here: http://unmitigatedrisk.com/?p=241

 

The final openssl-command is:

openssl ocsp -noverify -no_nonce -respout ocsp.resp -issuer /tmp/issuer.crt -cert /tmp/server.crt -url http://ocsp2.globalsign.com/gsalphag2

 

with this result

Error querying OCSP responsder

139908986062504:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=403,Reason=Forbidden

When I try to go in my browser to http://ocsp2.globalsign.com/gsalphag2, i get: "An error occured during the request handling!!"

 

 

Can anybody help me? I don''t know what to to next.

Outcomes