我在使用nginx进行OCSP装订时遇到了麻烦。 所以我启动openssl ocsp守护进程,然后访问我的站点。 然后它说无效的请求。 我正在使用私人PKI和CA. SSL密钥:8192bit DH密钥2048bit
root@wilhelm:/etc/ocsp# openssl ocsp -index index.txt -port 9999 -rsigner oscp.crt -rkey oscp.key -CA cacert.pem -text -out log.txt Waiting for OCSP client connections... Invalid request root@wilhelm:/etc/ocsp# ls cacert.pem index.txt index.txt.attr index.txt.attr.old index.txt.old log.txt ocsp.crt ocsp.key oscp.crt oscp.key root@wilhelm:/etc/ocsp# 服务器正在工作,但我用openssl ocsp -CAfile ../cacert.pem -issuer ../cacert.pem -url http:// * url *:9999 -resp_text -cert mycert.crt来testing它,它工作正常。
Nginxconfiguration:
set_real_ip_from 199.27.128.0/21; set_real_ip_from 173.245.48.0/20; set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 108.162.192.0/18; set_real_ip_from 190.93.240.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 162.158.0.0/15; set_real_ip_from 104.16.0.0/12; set_real_ip_from 172.64.0.0/13; real_ip_header X-Forwarded-For; limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=1r/s; limit_conn conn_limit_per_ip 5; limit_req zone=req_limit_per_ip burst=10 nodelay; server_tokens off; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; server { listen 80; server_name mail.wilhelm.co.za; return 301 https://$host$request_uri; } server { listen 443 ssl; ssl on; server_name mail.wilhelm.co.za; if ($http_referer ~* "(semalt|buttons-for|best-seo)") { return 444; } if ($http_host = '') { return 444; } if ($host !~* ^mail\.wilhelm\.co\.za$ ) { return 444; } if ($request_method !~ ^(GET|HEAD)$ ) { return 444; } ssl_certificate /etc/nginx/ssl/mail.wilhelm.co.za.key.crt; ssl_certificate_key /etc/nginx/ssl/mail.wilhelm.co.za.key; ssl_client_certificate /etc/nginx/ssl/cacert.pem; ssl_verify_client optional; ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; resolver 8.8.8.8 valid=300s; resolver_timeout 10s; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/mail.wilhelm.co.za.crt; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; root /var/www/mail.wilhelm.co.za/public_html; access_log /var/www/mail.wilhelm.co.za/logs/access.log; error_log /var/www/mail.wilhelm.co.za/logs/error.log; index index.php; location / { try_files $uri $uri/ /index.php?$query_string; } location ~ \.php$ { fastcgi_index index.php; fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_keep_conn on; include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~ /\.ht { deny all; } location ^~ /data { deny all; } }
对于用于OCSP装订的OCSP请求,nginx使用GET请求,如RFC 2560中所述 。
另一方面,从上次发布的OpenSSL 1.0.2d开始,OpenSSL仅支持通过openssl ocsp提供的OCSP响应者守护进程中的POST请求。 它不识别GET请求并打印对这样的请求的Invalid request请求。
为了使这个工作,你可以尝试从主分支OpenSSL – 它似乎包含了一个尝试,以改善OCSP响应代码,并应该现在正确处理GET请求。 我从来没有尝试,可能还有其他问题。 请记住它是未发布的代码。
您也可以考虑使用另一个OCSP应答器。