Hey all.
Before I file a bugreport I'd like to consult with community to make sure
whether I get the whole thing right.
I use ssl_stapling_file and update that file daily.
Today I discovered that one of my SSL websites returns outdated OCSP
response, not the one which is in the OCSP stapling file:
> openssl s_client -connect xxxx:443 -tls1 -tlsextdebug -status
...
Cert Status: good
This Update: Mar 26 06:05:34 2015 GMT
Next Update: Mar 28 06:05:34 2015 GMT
Today is April 5. I checked OCSP file, it's fresh (April 4), has correct
permissions, readable by nginx, etc.
Then I reloaded nginx (HUP) and boom:
> openssl s_client -connect xxxx:443 -tls1 -tlsextdebug -status
...
Cert Status: good
This Update: Apr 4 04:19:53 2015 GMT
Next Update: Apr 6 04:19:53 2015 GMT
I run a dozen of SSL websites with ssl_stapling_file but never had to HUP
nginx to pick up an updated file (or at least I never noticed the issue
(even in FireFox which is very picky regarding OCSP)).
Is that a bug (1.7.11) or did I do it wrong all the time? :)
Thanks.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,257831,257831#msg-257831
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
