99 Problems, OCSP Ain’t One (Anymore)

So it took me a while to figure out why OCSP Stapling wasn’t working on the server I’m building with Adam. I figured I’d write down what I found here to sort of cover my problems. This is by no means a comprehensive list or solution, just what I found worked for me.

It seems that for OCSP to work properly you need to include it in the default server block.

In /etc/nginx/sites-enabled/default:

server {
    listen 443;
    server_name _;
    ssl on;
    ssl_stapling on;
    ssl_certificate /etc/nginx/certs/your_cert.pem;
    ssl_certificate_key /etc/nginx/certs/your_cert.key;

For whatever reason this wasn’t working alone for me, so I also added ssl_stapling on; to the http block in /etc/nginx/nginx.conf

Now OCSP seems to be working correctly on my other subdomains, this appears to be due to a limitation with openssl tests not allowing SNI.

You can test your own OCSP Stapling status using the following command:

openssl s_client -connect your.site:443 -tls1 -tlsextdebug -status

It appears that on the first load it’s not necessarily cached, so try running the command twice back to back to confirm whether you see:

OCSP response: no response sent


OCSP Response Data:    OCSP Response Status: successful (0x0)    Response Type: Basic OCSP Response    Version: 1 (0x0)    Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7    Produced At: Oct 18 00:36:24 2014 GMT    Responses:    Certificate ID:      Hash Algorithm: sha1      Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9      Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7      Serial Number: FD9BEFA92F8BEBCE721B67BED87783E3    Cert Status: good    This Update: Oct 18 00:36:24 2014 GMT    Next Update: Oct 22 00:36:24 2014 GMT

Best of luck to you in your journey for a better SSL server.