记录OCSP Stapling的两个问题

注意:本文最后更新于 2239 天前,有关的内容可能已经发生变化,请参考使用。

什么是OCSP Stapling

OCSP装订(OCSP Stapling),也称OCSP封套,是一个TLS证书状态查询扩展,作为在线证书状态协议的代替方法对X.509证书状态进行查询,目的是让证书使用者(例如浏览器)如何知道一个证书是否有效(证书颁发者有时候需要作废某些证书)。OCSP 响应本身经过了数字签名,无法伪造,所以 OCSP Stapling 技术既提高了握手效率,也不会影响安全性。

服务器在TLS握手时可以发送事先缓存的OCSP响应,用户只需验证该响应的有效性而不用再向数字证书认证机构(CA)发送请求。

https.jpg

问题及解决办法

获取OCSP Response问题

将子证书、中间证书、根证书按照从上到下的顺序保存为holmesian.org.full,中间证书保存为intermediate.pem,子证书保存为 holmesian.org.crt,用下列命令获取OCSP Response:

    openssl ocsp -CAfile holmesian.org.full -issuer intermediate.pem -cert holmesian.org.crt -no_nonce -text -url http://ocsp2.globalsign.com/gsalphasha2g2

得到错误提示Code=403,Reason=Forbidden:

    OCSP Request Data:
        Version: 1 (0x0)
        Requestor List:
            Certificate ID:
              Hash Algorithm: sha1
              Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
              Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
              Serial Number: 156DFA2C6AB1204B407F919D
    Error querying OCSP responsder
    140594576742304:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=403,Reason=Forbidden

原因是部分证书的OCSP Response需要指定HOST,所以将获取OCSP Response的命令加上HOST问题就解决了。

    openssl ocsp -CAfile holmesian.org.full -issuer intermediate.pem -cert holmesian.org.crt -no_nonce -text -url http://ocsp2.globalsign.com/gsalphasha2g2 -header "HOST" "ocsp2.globalsign.com"
    OCSP Request Data:
        Version: 1 (0x0)
        Requestor List:
            Certificate ID:
              Hash Algorithm: sha1
              Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
              Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
              Serial Number: 156DFA2C6AB1204B407F919D
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: EE5EFFFE85DB26C626FBD3698410AD1D0DD3EF58
        Produced At: Aug 26 22:35:16 2017 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
          Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
          Serial Number: 156DFA2C6AB1204B407F919D
        Cert Status: good
        This Update: Aug 26 22:35:16 2017 GMT
        Next Update: Aug 30 22:35:16 2017 GMT
    ...

Nginx域名解析问题

翻阅Nginx错误日志,发现有大量域名无法解析的错误提示:

ocsp2.globalsign.com could not be resolved (2: Server failure) while
requesting certificate status, responder: ocsp2.globalsign.com

ocsp2.globalsign.com could not be resolved (110: Operation timed out)
while requesting certificate status, responder: ocsp2.globalsign.com

错误中导致的域名无法解析的原因有两个:“2: Server failure”和“110: Operation timed out”,Nginx中的相关配置如下:

    resolver 10.143.22.116;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/holmesian.org.full;
    ssl_certificate /etc/nginx/holmesian.org.crt;
    ssl_certificate_key /etc/nginx/holmesian.org.key;

看上去应该没有问题,而且在Bash中可以ping通ocsp2.globalsign.com域名,且用openssl能够获取OCSP Response,在这里卡了一段时间,最后终于发现是IPv6导致的问题。在nginx配置中加上关掉resolver的IPv6解析指令即可解决问题。

    resolver 10.143.22.116:53 ipv6=off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/holmesian.org.full;
    ssl_certificate /etc/nginx/holmesian.org.crt;
    ssl_certificate_key /etc/nginx/holmesian.org.key;

OCSP常用openssl命令

  • 检测服务端是否开启OCSP response
    openssl s_client -connect holmesian.org:443 -servername holmesian.org -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"

以下显示为成功开启:

OCSP response: OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response

以下显示为未开启:

OCSP response: no response sent

  • 验证证书的Common Name
    openssl x509 -in holmesian.org.crt -noout -subject
  • 获取证书的 OCSP 服务地址
    openssl x509 -in holmesian.org.crt -noout -ocsp_uri

「倘若有所帮助,不妨酌情赞赏!」

Holmesian

感谢您的支持!

使用微信扫描二维码完成支付


相关文章

发表新评论
已有 4 条评论
  1. Denity

    请问现在let's encrypt 的ssl证书的OCSP失效了么? 我测试了
    openssl ocsp -CAfile fullchain.cer -issuer ca.cer -certsite.cer -no_nonce -text -url ocsp.int-x3.letsencrypt.org
    OCSP Request Data:

    Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer
    Name Hash: 7EE66AE77123B3FCF8A220646C16A12D6071085D
    Issuer Key Hash: A84A6A63047DD45676D139B7A64565EFF3A8ECA1
    Serial Number: 04D1F2A093F5345385775F0959AB47A5255B
    Error connecting BIO
    Error querying OCSP responder
    system library:connect:Connection timed out:bss_conn.c:246:host=ocsp.int-x3.letsencrypt.org:80
    20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:249:

    貌似都不通,防火墙什么都是关闭的。

    Denity 回复
    1. Holmesian

      @Denity

      由于众所周知的原因,很多OCSP服务器都被墙或被劣化了服务质量,自行科学上网吧~

      Holmesian 回复
  2. 90之家

    你好,我也是做开发的,最近也在做个网站,可否交换个友链

    90之家 回复
  3. ttyuns

    可以,正好用上了~

    ttyuns 回复