Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCSP stapling broken in Nginx with v2.9.1 #532

Closed
sephiroth-j opened this issue May 27, 2019 · 7 comments
Closed

OCSP stapling broken in Nginx with v2.9.1 #532

sephiroth-j opened this issue May 27, 2019 · 7 comments

Comments

@sephiroth-j
Copy link

sephiroth-j commented May 27, 2019
edited
Loading

When building Nginx 1.15.x, 1.16.0 or 1.17.0 with LibreSSL v2.9.1, OCSP stapling with Let's Encrypt (and others?) does not work anymore because the signer certificate could not be found. LibreSSL v2.9.0 is fine.

The nginx error message is:
OCSP_basic_verify() failed (SSL: error:27FFF076:OCSP routines:CRYPTO_internal:signer certificate not found) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 95.101.72.151:80, certificate: "/path/to/fullchain.pem"

The output of openssl s_client -status [...] contains OCSP response: no response sent.

related Nginx config

ssl_stapling            on;
ssl_stapling_verify     on;
resolver		8.8.8.8;
ssl_certificate_key     /path/to/privkey.pem;
ssl_certificate         /path/to/fullchain.pem;
ssl_trusted_certificate /path/to/chain.pem;

p.s.
OCSP_basic_verify is called here
@AliceWonderMiscreations
Copy link

It does work in 2.9.2 with apache so might this be nginx that needs a patch? I don't use nginx so I am not able to test it against my build of LibreSSL.

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: May 25 22:27:00 2019 GMT

@kinichiro
Copy link
Contributor

Here is another report.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237757

LibreSSL was forked from OpenSSL 1.0.1 and SSL_CTX_get_extra_chain_certs() returned extra_certs at that time.
It appears that OpenSSL 1.0.2 had changed the behavior of SSL_CTX_get_extra_chain_certs() and added SSL_CTX_get_extra_chain_certs_only() that returns extra_certs.
I think SSL_CTX_get_extra_chain_certs() has different functionality between LibreSSL and OpenSSL, now.

@concatime
Copy link

Same issue.

While I generally like LibreSSL, this looks like a LibreSSL bug to
me. And instead of trying to fix working code in nginx, you may
want to focus on fixing SSL_CTX_get_extra_chain_certs() in
LibreSSL.

from http://mailman.nginx.org/pipermail/nginx-devel/2019-May/012212.html

concatime pushed a commit to concatime/nginx-zero that referenced this issue Jun 13, 2019
libressl: 2.9.2 ~> 2.8.3 (regression libressl/portable#532)
c9053fc
@skid9000 skid9000 mentioned this issue Jun 25, 2019
Merged
4 tasks
@concatime
Copy link

Bug persists on 3.0.0.

@mundschenk-at
Copy link

It's unfortunate that LibreSSL changed its behavior here :(

@mattieub
Copy link

I confirm the bug is also present on OpenBSD, since 6.5.
OCSP stapling fails with Nginx.

@4a6f656c
Copy link
Contributor

4a6f656c commented Jan 2, 2020

The behavior of SSL_CTX_get_extra_chain_certs() has been revised to match OpenSSL in
openbsd/src@8c9e35f

@4a6f656c 4a6f656c closed this as completed Jan 2, 2020
@concatime concatime mentioned this issue Aug 11, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@kinichiro @mundschenk-at @4a6f656c @AliceWonderMiscreations @mattieub @sephiroth-j @concatime