Re: OCSP checks fail only on 1st site hit; OK afterwards ?

Wed, 09 Nov 2022 13:34:59 -0800 

an old, 2015 post from Caddy Webserver's author,

        OCSP Stapling Robustness in Apache and nginx
         https://gist.github.com/mholt/3b4910c802b2ed7e92294e26a1ae8551

comments,

        "...
        nginx's logic is a lot more robust than Apache's in this regard. Good 
OCSP responses are cached for an hour, but are not replaced until a successful 
new response has been received, meaning nginx can weather temporary OCSP 
responder outages. Unfortunately, nginx's logic is drastically worse in a 
different way: nginx kicks off OCSP queries on-demand, during the TLS 
handshake, but continues the handshake without waiting for the OCSP response to 
return. And since the OCSP response caches are unique per worker process, the 
first TLS connection handled by any given worker process never has a response 
stapled! (By the way, this makes testing whether you've properly enabled OCSP 
stapling rather annoying and confusing if you don't know about this.) This 
behavior also means that if a worker process sites idle for a long time, it 
doesn't refresh its OCSP responses and could staple an expired OCSP response on 
the next request it handles. [Update: the expired response issue is fixed in 
nginx 1.9.2. Now, if the cached OCSP response is expired, no response at all is 
stapled. A query to the OCSP responder is still initiated in the background, so 
subsequent handshakes should have a fresh stapled response.]
        ..."

that suggests an 'updated' (back then, as of v >= 1.9.2) behavior of no OCSP 
response on 1st try, but a background-queried-and-cached ok response subsequently.

which, sounds like what i'm seeing.



i run nginx/1.23.2 on linux

after a clear reboot, on first access to my site front page, I see in log

     ==> /var/log/nginx/example.com.443.error.log <==
     2022/11/09 12:38:15 [info] 1460#1460: *2 SSL_do_handshake() failed (SSL: 
error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) 
while SSL handshaking, client: 2601:...:xxx1, server: [2600:...:xxx6]:443

if I immediately just reload the page in browser, no more problem; the page 
renders ok, SSL check out, all site nav is fine

subsequent hits to the front page are also OK

...

is that (still?) the current mode of operation in nginx's ocsp logic ?


_______________________________________________
nginx mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to