Hey all.
Before I file a bugreport I’d like to consult with community to make
sure
whether I get the whole thing right.
I use ssl_stapling_file and update that file daily.
Today I discovered that one of my SSL websites returns outdated OCSP
response, not the one which is in the OCSP stapling file:
openssl s_client -connect xxxx:443 -tls1 -tlsextdebug -status
…
Cert Status: good
This Update: Mar 26 06:05:34 2015 GMT
Next Update: Mar 28 06:05:34 2015 GMT
Today is April 5. I checked OCSP file, it’s fresh (April 4), has correct
permissions, readable by nginx, etc.
Then I reloaded nginx (HUP) and boom:
openssl s_client -connect xxxx:443 -tls1 -tlsextdebug -status
…
Cert Status: good
This Update: Apr 4 04:19:53 2015 GMT
Next Update: Apr 6 04:19:53 2015 GMT
I run a dozen of SSL websites with ssl_stapling_file but never had to
HUP
nginx to pick up an updated file (or at least I never noticed the issue
(even in FireFox which is very picky regarding OCSP)).
Is that a bug (1.7.11) or did I do it wrong all the time?
Thanks.
Posted at Nginx Forum: