什么是OCSP Stapling

OCSP装订（OCSP Stapling），也称OCSP封套，是一个TLS证书状态查询扩展，作为在线证书状态协议的代替方法对X.509证书状态进行查询，目的是让证书使用者（例如浏览器）如何知道一个证书是否有效（证书颁发者有时候需要作废某些证书）。OCSP 响应本身经过了数字签名，无法伪造，所以 OCSP Stapling 技术既提高了握手效率，也不会影响安全性。

服务器在TLS握手时可以发送事先缓存的OCSP响应，用户只需验证该响应的有效性而不用再向数字证书认证机构（CA）发送请求。

问题及解决办法

获取OCSP Response问题

将子证书、中间证书、根证书按照从上到下的顺序保存为holmesian.org.full，中间证书保存为intermediate.pem，子证书保存为 holmesian.org.crt，用下列命令获取OCSP Response：

    openssl ocsp -CAfile holmesian.org.full -issuer intermediate.pem -cert holmesian.org.crt -no_nonce -text -url http://ocsp2.globalsign.com/gsalphasha2g2

得到错误提示Code=403,Reason=Forbidden：

    OCSP Request Data:
        Version: 1 (0x0)
        Requestor List:
            Certificate ID:
              Hash Algorithm: sha1
              Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
              Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
              Serial Number: 156DFA2C6AB1204B407F919D
    Error querying OCSP responsder
    140594576742304:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=403,Reason=Forbidden

原因是部分证书的OCSP Response需要指定HOST，所以将获取OCSP Response的命令加上HOST问题就解决了。

    openssl ocsp -CAfile holmesian.org.full -issuer intermediate.pem -cert holmesian.org.crt -no_nonce -text -url http://ocsp2.globalsign.com/gsalphasha2g2 -header "HOST" "ocsp2.globalsign.com"

    OCSP Request Data:
        Version: 1 (0x0)
        Requestor List:
            Certificate ID:
              Hash Algorithm: sha1
              Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
              Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
              Serial Number: 156DFA2C6AB1204B407F919D
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: EE5EFFFE85DB26C626FBD3698410AD1D0DD3EF58
        Produced At: Aug 26 22:35:16 2017 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
          Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
          Serial Number: 156DFA2C6AB1204B407F919D
        Cert Status: good
        This Update: Aug 26 22:35:16 2017 GMT
        Next Update: Aug 30 22:35:16 2017 GMT
    ...

Nginx域名解析问题

翻阅Nginx错误日志，发现有大量域名无法解析的错误提示：

ocsp2.globalsign.com could not be resolved (2: Server failure) while
requesting certificate status, responder: ocsp2.globalsign.com

ocsp2.globalsign.com could not be resolved (110: Operation timed out)
while requesting certificate status, responder: ocsp2.globalsign.com

错误中导致的域名无法解析的原因有两个：“2: Server failure”和“110: Operation timed out”，Nginx中的相关配置如下：

    resolver 10.143.22.116;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/holmesian.org.full;
    ssl_certificate /etc/nginx/holmesian.org.crt;
    ssl_certificate_key /etc/nginx/holmesian.org.key;

看上去应该没有问题，而且在Bash中可以ping通ocsp2.globalsign.com域名，且用openssl能够获取OCSP Response，在这里卡了一段时间，最后终于发现是IPv6导致的问题。在nginx配置中加上关掉resolver的IPv6解析指令即可解决问题。

    resolver 10.143.22.116:53 ipv6=off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/holmesian.org.full;
    ssl_certificate /etc/nginx/holmesian.org.crt;
    ssl_certificate_key /etc/nginx/holmesian.org.key;

OCSP常用openssl命令

• 检测服务端是否开启OCSP response

    openssl s_client -connect holmesian.org:443 -servername holmesian.org -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"

以下显示为成功开启：

OCSP response: OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response

以下显示为未开启：

OCSP response: no response sent

• 验证证书的Common Name

    openssl x509 -in holmesian.org.crt -noout -subject

• 获取证书的 OCSP 服务地址

    openssl x509 -in holmesian.org.crt -noout -ocsp_uri

---

相关文章

• 再谈Go语言的交叉编译
• HAProxy 区分流量特征
• 临时处理OCSP域名无法访问的问题
• 树莓派的HW CSum问题
• 443端口共用的方案