about ssl ocsp stapling

248 views
Skip to first unread message

杨阳

unread,
Oct 9, 2015, 5:19:56 AM10/9/15
to openresty-en
Hi, agentzh
    
      we use ssl_ceritficate_by_lua to give client dynamic certificate  now, and we also want to provide ocsp stapling functions, and I find you have already support this, I wonder how to use these functions? Below is what I understand

    a  get the root&intermedate pem format certificate data
    b  change pem to der
    c  use  ssl.get_ocsp_responder_from_der_chain to construct oscp response
    d  use ssl.valid_ocsp_response 
    e  if ok, ssl.set_ocsp_status_resp

but I don't know when to create ocsp request and how to get the response, and  how to deploy the directive in nginx.conf
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/full_chain.pem; 
ssl_certificate_by_lua xxx.lua;


Zi Lin

unread,
Oct 10, 2015, 2:59:14 AM10/10/15
to openresty-en
OCSP requests/response can be created before hand. OCSP response is usually valid for 7 days. And then you can simply set the resp in the lua script.

You can also do it at the time you choose the certificate, but waiting on getting a OCSP response incurs too much delay so you better do it separately in a non-blocking cosocket and caching the response. And of course, since you can't wait for the response, you can't do OCSP stapling for the first TLS handshake.

Hope that helps.

Zi

杨阳

unread,
Oct 10, 2015, 4:17:06 AM10/10/15
to openresty-en
thanks for suggestion. Some more questions?

a  when I use create ocsp request api, the certificate data must be chain certificated data?

then I should first use get_responder_from_der_chain to get CA url and send ocsp request to url, to get the ocsp response, cache the response.

when client want to ssl handshake

a  first get the ocsp response from the cache

b  check whether the ocsp valid

c  if valid, just set the status, if not, just let the client to start ocsp request normally and we just ngx.timeat to get the new ocsp response and cache.


在 2015年10月10日星期六 UTC+8下午2:59:14,Zi Lin写道:

杨阳

unread,
Oct 10, 2015, 5:41:53 AM10/10/15
to openresty-en
since the full_chain certificate data is dynamic get, also I want to know how to config in the nginx.conf, just not add anything for ssl_stapling directives.



在 2015年10月10日星期六 UTC+8下午2:59:14,Zi Lin写道:
OCSP requests/response can be created before hand. OCSP response is usually valid for 7 days. And then you can simply set the resp in the lua script.

Yichun Zhang (agentzh)

unread,
Oct 10, 2015, 10:37:40 PM10/10/15
to openresty-en
Hello!

On Sat, Oct 10, 2015 at 4:17 PM, 杨阳 wrote:
> thanks for suggestion. Some more questions?
>
> a when I use create ocsp request api, the certificate data must be chain
> certificated data?
>
> then I should first use get_responder_from_der_chain to get CA url and send
> ocsp request to url, to get the ocsp response, cache the response.
>
> when client want to ssl handshake
>
> a first get the ocsp response from the cache
>
> b check whether the ocsp valid
>
> c if valid, just set the status, if not, just let the client to start ocsp
> request normally and we just ngx.timeat to get the new ocsp response and
> cache.
>

Well, just check out the declarative unit test cases for these Lua APIs:

https://github.com/openresty/lua-nginx-module/blob/ssl-cert-by-lua/t/130-ssl-cert-by.t

Regards,
-agentzh

杨阳

unread,
Oct 12, 2015, 9:49:05 PM10/12/15
to openresty-en
I have set oscp response data to my shared memory for  updating after 7 days, but I find the ocsp response info show it will update for 2 days, Since I don't have interface to get when it will update from the ocsp response, so is it right to just use 7 days or 4 days anyway? thanks.
 


在 2015年10月9日星期五 UTC+8下午5:19:56,杨阳写道:

杨阳

unread,
Oct 12, 2015, 10:20:48 PM10/12/15
to openresty-en
Can it generate harm to client if the client doesn't send status request in clientHello step but I send ocsp response?  Now I just know after I call set_status interface to know whether client has send request status?


在 2015年10月11日星期日 UTC+8上午10:37:40,agentzh写道:

Yichun Zhang (agentzh)

unread,
Oct 13, 2015, 10:35:38 AM10/13/15
to openresty-en
Hello!

On Tue, Oct 13, 2015 at 10:20 AM, 杨阳 wrote:
> Can it generate harm to client if the client doesn't send status request in
> clientHello step but I send ocsp response? Now I just know after I call
> set_status interface to know whether client has send request status?
>

In case that the requests do not send a OCSP status request, the
set_ocsp_status_resp() function call will do NOTHING and simply return
nil and a string describing the error, "no status req".

Regards,
-agentzh

杨阳

unread,
Mar 29, 2016, 7:43:59 AM3/29/16
to openresty-en
we cache the ocsp response for a specific time, e.g. 7 days, but the real response just show 2 days expire, is that the "fixme" in the 130-xxx.t which will cause

browser can't pass into the next process? How can we solve it ? parse the response and retrieve the expire value, can you suggest anything?




在 2015年10月13日星期二 UTC+8下午10:35:38,agentzh写道:

杨阳

unread,
Mar 30, 2016, 5:33:08 AM3/30/16
to openresty-en

I review the validate_ocsp_response function detail and find the OCSP_check_validity function which use nsec and maxsec parameter,

and you just set 300 and -1 for the two parameter, is that mean local time in the range of thisupdate to nexupdate+300s ?



在 2015年10月13日星期二 UTC+8下午10:35:38,agentzh写道:
Hello!
Reply all
Reply to author
Forward
0 new messages