Lexa Software: Nginx-ru@sysoev.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru

СТАТЬИ

ПЕРСОНАЛЬНОЕ

ПРОГРАММЫ

ПИШИТЕ
ПИСЬМА

АРХИВ :: nginx-ru

Nginx-ru mailing list archive (nginx-ru@sysoev.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OSCP неавторизованный запрос

To: nginx-ru@xxxxxxxxx
Subject: Re: OSCP неавторизованный запрос
From: Maxim Dounin <mdounin@xxxxxxxxxx>
Date: Thu, 10 Apr 2014 15:56:31 +0400
In-reply-to: <477F3238-BDE3-45F1-AEB1-106085491057@sonru.com>
References: <477F3238-BDE3-45F1-AEB1-106085491057@sonru.com>

Hello!

On Thu, Apr 10, 2014 at 07:42:23AM +0100, Anatoly Mikhailov wrote:

> Наблюдаю следующую строку в error.log с дефолтным уровнем логирования:
> 
>   OCSP response not successful (6: unauthorized) while requesting certificate 
> status, responder: ocsp.comodoca.com
> 
> Окружение: Nginx 1.5.13, настройки ssl/tls следующие:
>     ssl_session_timeout          15m;
>     ssl_protocols                      SSLv3 TLSv1 TLSv1.1 TLSv1.2;
>     ssl_prefer_server_ciphers  on;
>     ssl_session_cache             shared:SSL:10m;
>     ssl_stapling                        on;

Вероятно, OCSP-респондер хотел сказать, что он не располагает 
достаточной информацией и не может сказать, валиден он или нет, 
http://tools.ietf.org/html/rfc5019#section-2.2.3:

   As long as the OCSP infrastructure has authoritative records for a
   particular certificate, an OCSPResponseStatus of "successful" will be
   returned.  When access to authoritative records for a particular
   certificate is not available, the responder MUST return an
   OCSPResponseStatus of "unauthorized".  As such, this profile extends
   the RFC 2560 [OCSP] definition of "unauthorized" as follows:

      The response "unauthorized" is returned in cases where the client
      is not authorized to make this query to this server or the server
      is not capable of responding authoritatively.

   For example, OCSP responders that do not have access to authoritative
   records for a requested certificate, such as those that generate and
   distribute OCSP responses in advance and thus do not have the ability
   to properly respond with a signed "successful" yet "unknown"
   response, will respond with an OCSPResponseStatus of "unauthorized".
   Also, in order to ensure the database of revocation information does
   not grow unbounded over time, the responder MAY remove the status
   records of expired certificates.  Requests from clients for
   certificates whose record has been removed will result in an
   OCSPResponseStatus of "unauthorized".

Почему так - вопрос к COMODO.  Вероятно, сертификат свежий, и 
OCSP-респондер про него ещё не знает.

Со своей стороны nginx такой ответ для stapling'а использовать не 
будет, и будет повторять попытки получить корректный ответ для 
stapling'а раз в 5 минут.

-- 
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-ru mailing list
nginx-ru@xxxxxxxxx
http://mailman.nginx.org/mailman/listinfo/nginx-ru

References:
- OSCP неавторизованный запрос
  - From: Anatoly Mikhailov

Prev by Date: Re: Ошибка 500 Internal server error при настройка редиректов
Next by Date: Re: Ошибка 500 Internal server error при настройка редиректов
Previous by thread: OSCP неавторизованный запрос
Next by thread: Перенести куки с домена на домен
Index(es):
- Date
- Thread