OCSP stapling priming and logging

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OCSP stapling priming and logging

Thomas Valentine
I've spent a bit of time setting up my server with SSL, and checking for OCSP stapling to be working - couldn't work out why it wasn't sending the OCSP reply but it's as I was querying the server as the first hit before it had primed the response. This isn't mentioned in the online docs as to how it actually works. There is also nothing in the logs saying what is going on - unless using debug mode.
 
Perhaps within ngx_http_ssl_module.c something could be added to log when an OCSP query takes place (without requiring a debug log).
 
I assume at some point in the past the option to prime the server has been considered and not implemented? I know a server script could be written to do this - perhaps within an nginx startup - and get nginx to use the ssl_stapling_file but this seems messy.
 
Any thoughts?
 
Thanks,
Tom

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling priming and logging

Maxim Dounin
Hello!

On Mon, Jan 08, 2018 at 11:38:56PM +1300, Thomas Valentine wrote:

>    I've spent a bit of time setting up my server with SSL, and checking
>    for OCSP stapling to be working - couldn't work out why it wasn't
>    sending the OCSP reply but it's as I was querying the server as the
>    first hit before it had primed the response. This isn't mentioned in
>    the online docs as to how it actually works. There is also nothing in
>    the logs saying what is going on - unless using debug mode.
>
>    Perhaps within ngx_http_ssl_module.c something could be added to log
>    when an OCSP query takes place (without requiring a debug log).

OCSP requests are expected to happen on regular basis when OCSP
Stapling is enabled, and logging them all to the error log might
not be a good idea.  Rather, it logs if there are any errors.

>    I assume at some point in the past the option to prime the server has
>    been considered and not implemented? I know a server script could be
>    written to do this - perhaps within an nginx startup - and get nginx to
>    use the ssl_stapling_file but this seems messy.

OCSP Stapling is an optimization, and nothing breaks if it doesn't
work.  You don't need to prime anything (unless you are using the
"Must Staple" certificate extension, which is completely different
story and wasn't even existed when OCSP Stapling was implemented
in nginx).

You may also find these tickets interesting:

https://trac.nginx.org/nginx/ticket/1413
https://trac.nginx.org/nginx/ticket/990
https://trac.nginx.org/nginx/ticket/812

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling priming and logging

Thomas Valentine
 
 
10.01.2018, 03:02, "Maxim Dounin" <[hidden email]>:

Hello!

On Mon, Jan 08, 2018 at 11:38:56PM +1300, Thomas Valentine wrote:
 

    I've spent a bit of time setting up my server with SSL, and checking
    for OCSP stapling to be working - couldn't work out why it wasn't
    sending the OCSP reply but it's as I was querying the server as the
    first hit before it had primed the response. This isn't mentioned in
    the online docs as to how it actually works. There is also nothing in
    the logs saying what is going on - unless using debug mode.

    Perhaps within ngx_http_ssl_module.c something could be added to log
    when an OCSP query takes place (without requiring a debug log).


OCSP requests are expected to happen on regular basis when OCSP
Stapling is enabled, and logging them all to the error log might
not be a good idea. Rather, it logs if there are any errors.

 
What about under the 'info' or 'notice' log level? Would that be a fair balance between information and not spamming the logs when error level is set to 'error'?

 

    I assume at some point in the past the option to prime the server has
    been considered and not implemented? I know a server script could be
    written to do this - perhaps within an nginx startup - and get nginx to
    use the ssl_stapling_file but this seems messy.


OCSP Stapling is an optimization, and nothing breaks if it doesn't
work. You don't need to prime anything (unless you are using the
"Must Staple" certificate extension, which is completely different
story and wasn't even existed when OCSP Stapling was implemented
in nginx).

You may also find these tickets interesting:

https://trac.nginx.org/nginx/ticket/1413
https://trac.nginx.org/nginx/ticket/990
https://trac.nginx.org/nginx/ticket/812

Some good info in those links. I disagree, but not my web server.
 

 

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx