OCSP malformedrequest with 1.9.7 and openssl 1.0.2e

Server NGINX
1

Hello,

OCSP is not working on my raspberrypi2 with nginx 1.9.7 and OpenSSL
1.0.2e.
I have compiled both together.

tail /var/log/nginx/error.log

2015/12/04 22:28:21 [error] 14841#0: OCSP response not successful (1:
malformedrequest) while requesting certificate status, responder:
ocsp.startssl.com
2015/12/04 22:28:29 [error] 14841#0: OCSP response not successful (1:
malformedrequest) while requesting certificate status, responder:
ocsp.startssl.com
2015/12/04 22:28:30 [error] 14842#0: OCSP response not successful (1:
malformedrequest) while requesting certificate status, responder:
ocsp.startssl.com

Got the ca-bundle.pem from https://www.startssl.com/certs/?C=S;O=D

/etc/nginx/sites-enabled $ cat default

OCSP Stapling

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/my_ssl_certs/ca-bundle.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

OCSP is not working after checks with sslabs and openssl e.g.

echo QUIT | openssl s_client -connect www.mydomain.com:443 -status 2>
/dev/null | grep -A 17 ‘OCSP response:’ | grep -B 17 ‘Next Update’

According to https://www.ietf.org/rfc/rfc2560.txt the errors says:

OCSPResponseStatus ::= ENUMERATED {
malformedRequest (1), --Illegal confirmation request

My StartSSL certificates are SHA2
(https://www.startssl.com/certs/class1/sha2/pem/)

In /etc/nginx/sites-enabled/ I have more than one config / domain
configured. But it does not matter wether I only configure OCSP in every
single file or just default.

I only found a Bug message here: " OpenSSL OCSP Bad Request"
(OpenSSL OCSP Bad Request) saying
you
have to add: -header “HOST” “ocsp.startssl.com

My options for compiling openssl & nginx have been

./config --prefix=$STATICLIBSSL no-ssl2 no-ssl3 no-shared
&& make depend
&& make
&& make install_sw

./configure --with-cc-opt=“-I $STATICLIBSSL/include -I/usr/include”
–with-ld-opt=“-L $STATICLIBSSL/lib -Wl,-rpath -lssl -lcrypto -ldl -lz”

–sbin-path=/usr/sbin/nginx
–conf-path=/etc/nginx/nginx.conf
–pid-path=/var/run/nginx.pid
–error-log-path=/var/log/nginx/error.log
–http-log-path=/var/log/nginx/access.log
–with-pcre=$BPATH/$VERSION_PCRE
–with-http_ssl_module
–with-http_v2_module
–with-file-aio
–with-ipv6
–with-http_gzip_static_module
–with-http_stub_status_module
–without-mail_pop3_module
–without-mail_smtp_module
–without-mail_imap_module
&& make && make install

Any ideas ?

Thanks in advance,
Alexander

Posted at Nginx Forum:

2

Hello!

On Fri, Dec 04, 2015 at 05:40:02PM -0500, agruener wrote:

ocsp.startssl.com
2015/12/04 22:28:30 [error] 14842#0: OCSP response not successful (1:
malformedrequest) while requesting certificate status, responder:
ocsp.startssl.com

The message means that an OCSP request was successfully sent, but
OCSP responder returned an error. This may be either due to OCSP
response being indeed incorrect for some reason, or due to a
problem on OCSP responder side.

You may try the following:

  • check if OCSP requests from other clients (e.g., browsers) work;
    note that openssl’s OCSP client will likely fail out of the box;

  • check if the same error occurs on x86 hosts for the same
    certificate or not;

  • try tcpdump’ing traffic between nginx and the OCSP
    responder to see what happens on the wire.


Maxim D.
http://nginx.org/

3

Dear Maxim,

thanks for your ideas.

I think I have not fully understand this matter, yet :wink:

  • check if OCSP requests from other clients (e.g., browsers) work;
    note that openssl’s OCSP client will likely fail out of the box;

—> it does not work with openssl on Ubuntu 14.04 LTS (OpenSSL 1.0.1f 6
Jan
2014), openssl on raspberrypi2 (OpenSSL 1.0.2e) and Qualsys ssllabs
(SSL Server Test (Powered by Qualys SSL Labs)). I do not get any errors on the other
hand in Firefox or Chrome on Windows / Ubuntu / Android browsing to my
websites. But I do not know how to do the same OCSP tests with my
browsers.

  • check if the same error occurs on x86 hosts for the same certificate
    or
    not;

→ I have to try this later, it is not that easy to set up here right
now.

  • try tcpdump’ing traffic between nginx and the OCSP responder to see
    what
    happens on the wire.

→ I have done it. It is showing some communication when I do the test
with
openssl, e.g.

echo QUIT | openssl s_client -connect www.mydomain.com:443 -status 2>
/dev/null | grep -A 17 ‘OCSP response:’ | grep -B 17 ‘Next Update’

Pcap extraction show communication:

.
StartCom Ltd.1+0)…U…"Secure Digital Certificate
Signing1806…U…/StartCom Class 1 Primary Intermediate Server CA0…
151011024455Z…

.
…M0…I0…g…0…;…+…7…0…0…+…"http://www.startssl.com/policy.pdf0…+…0…0’.
StartCom Certification Authority0…This certificate was issued
according to the Class 1 Validation requirements of the StartCom CA
policy,
reliance only for the intended purpose in compliance of the relying
party
obligations.05…U…0,0.(.&.$http://crl.startssl.com/crt1-crl.crl0…+…0.09…+…0…-http://ocsp.startssl.com/sub/class1/server/ca0B…+…0…6http://aia.startssl.com/certs/sub.class1.server.ca.crt0#…U…0…Notice to all StartCom subscribers

But at the end of my pcap I have a

TLSv1.2 Record Layer: Encrypted Alert
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 26
Alert Message: Encrypted Alert

followed by FIN, ACK

Greetings,
Alexander

Posted at Nginx Forum:

4

Hello!

On Sat, Dec 05, 2015 at 04:20:32AM -0500, agruener wrote:

2014), openssl on raspberrypi2 (OpenSSL 1.0.2e) and Qualsys ssllabs
(SSL Server Test (Powered by Qualys SSL Labs)). I do not get any errors on the other
hand in Firefox or Chrome on Windows / Ubuntu / Android browsing to my
websites. But I do not know how to do the same OCSP tests with my browsers.

It looks like you’ve mistaken OCSP requests and OCSP stapling.
You have to test OCSP requests from other clients, not if OCSP
stapling is provided by your server.

Note well that Browsers are not expected to show any errors if
OCSP requests fail, and not all browsers will use OCSP by default
or at all. You have to dump traffic between the browser and the
OCSP responder to see what happens.

[…]

Pcap extraction show communication:

.
StartCom Ltd.1+0)…U…"Secure Digital Certificate
Signing1806…U…/StartCom Class 1 Primary Intermediate Server CA0…
151011024455Z…

This seems to be traffic between openssl and nginx. You have to
dump traffic between nginx and the OCSP responder
(ocsp.startssl.com) to see OCSP requests from nginx and responses
with errors.


Maxim D.
http://nginx.org/