173279834462 Wrote: ------------------------------------------------------- > > Note that this isn't really indicate anything: there are two forms > of OCSP requests, POST and GET. And Firefox uses POST, while nginx > uses GET. Given the fact that the responder was completely broken just > a few days ago - it's quite possible that it's still broken for GETs > in some cases. > > To comply with local security policy, we disabled POST globally on all > public-facing servers. > This has the advantage of killing web 2.0 and all of its > vulnerabilities with one simple rule, emphasis on *killing web 2.0*. > Yes, the sites are read-only, and we just love it that way. > > For each vhost, > "ssl_certificate_key" includes the vhost's private key, > "ssl_certificate" includes the vhosts's public key (leaf) AND the > intermediate key of the Issuer, > "ssl_trusted_certificate" includes the certificate chain in full (leaf > + intermediate + root CA), > all in PEM format. > > The openssl test works as expected: > > vhost="<your-domain-here>"; echo Q | openssl s_client -CAfile > /path/to/your/local/trust/store/ca-bundle.pem -tls1 -tlsextdebug > -status -connect $vhost:443 -servername $vhost 2>&1 | less > > There are two problems. > > problem 1 > ------------- > > nginx's "ssl_certificate" (note the singular) is truly a bundle of the > certificate and the intermediate. > In fact, if we remove the intermediate, we break the chain. > > The description for "ssl_certificate" is also misleading. > > "Specifies a file with the certificate in the PEM format for the given > virtual server. If intermediate certificates should be specified in > addition to a primary certificate, they should be specified in the > same file in the following order: the primary certificate comes first, > then the intermediate certificates. A secret key in the PEM format may > be placed in the same file. " > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate > > > Although the above sentence "If intermediate certificates should be > specified" suggests that one may omit the intermediate certificate, in > reality you can only do this if you are the CA. I do not wish to sound > opinionated here, because I am making an effort to stick to the facts: > if we remove the intermediate, we do break the chain and the openssl > test complains loudly. > > Therefore, if your own facts correspond to the above, then the > solution is to edit nginx's source to limit "ssl_certificate" to the > leaf's public key only, and correct the description accordingly. The > intermediate(s) can be bundled in a separate file. > > It would be easier on the eyes to re-write the keywords as well: > > ssl_certificate_key -----> private_certificate > ssl_certificate 1/2 ------> public_certificate > ssl_certificate 2/2 -------> public_intermediate_certificates > ssl_trusted_certificate -> public_ca_certificate > > In so doing, the configuration would finally be unambiguous. > > problem 2 > -------------- > > If it is true that FF uses POST to *read*, by default, then this > explains the original problem with OCSP, and the fact that nginx is > well configured and openssl and other browsers do work as expected. > Google and other search engines show that Firefox has been affected by > this OCSP problem for a long time. Perhaps they could start using GET > like everybody else?
Umm...please don't hijack threads. Your issue(s) are not related to the main thread and are even partially off-topic for nginx. Hijacking threads is distracting for those who run threaded clients. My issue regarding OCSP stapling still remains unresolved. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,257833,258801#msg-258801 _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
