即使启用了NGINX OCSP装订,Web浏览器仍在检查OCSP

时间:2018-10-30 21:58:27

标签: ssl nginx ssl-certificate ocsp nginx-config

我们注意到,即使我们的NGINX服务器将OCSP装订发送到HTTPS握手,客户端仍在继续要求OCSP确认。

所有测试均通过: https://www.ssllabs.com/ssltest/analyze.html?d=flyawaysimulation.com enter image description here

这是我们的NGINX配置:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /certificates/thawtenew.cer;
resolver 8.8.4.4 8.8.8.8;

这是我们对OPENSSL的答复:

openssl s_client -connect flyawaysimulation.com:443 -status
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte EV RSA CA 2018
verify error:num=20:unable to get local issuer certificate
verify return:0
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: E701FC0C1618CA7DB28CEC8727A36F61813B8439
    Produced At: Oct 30 17:14:58 2018 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 27B7E3BB29D237E6E6F2515C33DFD54FED77AE89
      Issuer Key Hash: E701FC0C1618CA7DB28CEC8727A36F61813B8439
      Serial Number: 083AA0E3FFAA9DB93545CE0354B5E6D4
    Cert Status: good
    This Update: Oct 30 17:14:58 2018 GMT
    Next Update: Nov  6 16:29:58 2018 GMT

    Signature Algorithm: sha256WithRSAEncryption
         20:c0:8a:eb:ab:e8:ad:46:25:df:f3:66:b1:29:74:17:4d:93:
         08:7f:20:05:b7:c8:4c:29:5a:b4:2c:6b:37:96:20:36:94:d3:
         f4:66:f9:53:d6:30:c7:d8:56:66:2b:f8:a3:30:d4:ec:65:c3:
         28:94:01:a4:15:c3:05:4c:72:e4:6e:2b:c6:a6:cf:be:1a:ae:
         a3:67:7b:ee:42:42:db:58:7f:20:c1:fd:a1:cf:57:cc:da:82:
         37:66:fd:40:93:ac:b8:b0:7a:38:53:17:12:a3:27:4d:f2:17:
         07:de:d3:01:3b:c4:ab:47:96:9b:68:c5:bd:d5:b1:3c:59:d0:
         10:09:cb:23:34:3b:07:9a:7d:8d:91:ff:2f:e9:eb:5b:1f:28:
         61:e3:d0:8d:cd:a5:22:53:23:09:9f:3a:b4:eb:98:0c:b5:ae:
         8a:6c:aa:3f:a2:d5:4e:24:8f:17:94:b1:f4:9e:d3:8e:63:92:
         c0:38:7e:c1:0e:fe:58:55:6d:3a:4e:98:53:00:f2:14:1b:19:
         4b:96:43:9d:c1:a1:bd:7b:c2:34:22:85:0b:a8:a0:1c:2f:c0:
         5e:3f:e3:d4:8a:6d:e3:2e:e5:fa:1e:c2:70:7b:a2:d8:06:da:
         b4:27:ae:e2:27:61:57:75:5f:ba:a9:cd:56:9c:eb:11:ea:b8:
         e2:f3:75:8c
======================================
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=GB/serialNumber=05718807/C=GB/L=London/O=RBFTP Networks Ltd./CN=flyawaysimulation.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte EV RSA CA 2018
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte EV RSA CA 2018
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---

但是,正如您从webpagetest.org中看到的那样,客户仍在向我们的证书颁发者(Digicert)请求OCSP响应:

enter image description here

...请注意第一个请求。

我已经对其他启用了OCSP装订的域进行了测试,他们不要求OCSP确认-只是我们的。

关于我们在做什么错的任何想法?任何建议,建议,技巧或修复都将不胜感激。

有问题的域是(如果您要运行自己的一些测试): https://flyawaysimulation.com

0 个答案:

没有答案
相关问题
最新问题