记录OCSP Stapling的两个问题
什么是OCSP Stapling
OCSP装订(OCSP Stapling),也称OCSP封套,是一个TLS证书状态查询扩展,作为在线证书状态协议的代替方法对X.509证书状态进行查询,目的是让证书使用者(例如浏览器)如何知道一个证书是否有效(证书颁发者有时候需要作废某些证书)。OCSP 响应本身经过了数字签名,无法伪造,所以 OCSP Stapling 技术既提高了握手效率,也不会影响安全性。
服务器在TLS握手时可以发送事先缓存的OCSP响应,用户只需验证该响应的有效性而不用再向数字证书认证机构(CA)发送请求。
问题及解决办法
获取OCSP Response问题
将子证书、中间证书、根证书按照从上到下的顺序保存为holmesian.org.full,中间证书保存为intermediate.pem,子证书保存为 holmesian.org.crt,用下列命令获取OCSP Response:
openssl ocsp -CAfile holmesian.org.full -issuer intermediate.pem -cert holmesian.org.crt -no_nonce -text -url http://ocsp2.globalsign.com/gsalphasha2g2
得到错误提示Code=403,Reason=Forbidden:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
Serial Number: 156DFA2C6AB1204B407F919D
Error querying OCSP responsder
140594576742304:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=403,Reason=Forbidden
原因是部分证书的OCSP Response需要指定HOST,所以将获取OCSP Response的命令加上HOST问题就解决了。
openssl ocsp -CAfile holmesian.org.full -issuer intermediate.pem -cert holmesian.org.crt -no_nonce -text -url http://ocsp2.globalsign.com/gsalphasha2g2 -header "HOST" "ocsp2.globalsign.com"
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
Serial Number: 156DFA2C6AB1204B407F919D
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: EE5EFFFE85DB26C626FBD3698410AD1D0DD3EF58
Produced At: Aug 26 22:35:16 2017 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
Serial Number: 156DFA2C6AB1204B407F919D
Cert Status: good
This Update: Aug 26 22:35:16 2017 GMT
Next Update: Aug 30 22:35:16 2017 GMT
...
Nginx域名解析问题
翻阅Nginx错误日志,发现有大量域名无法解析的错误提示:
ocsp2.globalsign.com could not be resolved (2: Server failure) while
requesting certificate status, responder: ocsp2.globalsign.comocsp2.globalsign.com could not be resolved (110: Operation timed out)
while requesting certificate status, responder: ocsp2.globalsign.com
错误中导致的域名无法解析的原因有两个:“2: Server failure”和“110: Operation timed out”,Nginx中的相关配置如下:
resolver 10.143.22.116;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/holmesian.org.full;
ssl_certificate /etc/nginx/holmesian.org.crt;
ssl_certificate_key /etc/nginx/holmesian.org.key;
看上去应该没有问题,而且在Bash中可以ping通ocsp2.globalsign.com域名,且用openssl能够获取OCSP Response,在这里卡了一段时间,最后终于发现是IPv6导致的问题。在nginx配置中加上关掉resolver的IPv6解析指令即可解决问题。
resolver 10.143.22.116:53 ipv6=off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/holmesian.org.full;
ssl_certificate /etc/nginx/holmesian.org.crt;
ssl_certificate_key /etc/nginx/holmesian.org.key;
OCSP常用openssl命令
- 检测服务端是否开启OCSP response
openssl s_client -connect holmesian.org:443 -servername holmesian.org -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"
以下显示为成功开启:
OCSP response: OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
以下显示为未开启:
OCSP response: no response sent
- 验证证书的Common Name
openssl x509 -in holmesian.org.crt -noout -subject
- 获取证书的 OCSP 服务地址
openssl x509 -in holmesian.org.crt -noout -ocsp_uri