Priming the OCSP cache in Nginx

So recently GlobalSign, DigiCert, and Comodo worked together with Nginx to get OCSP stapling supoported in Nginx 1.3.7, unfortunately architectural restrictions made it impractical to make it so that pre-fetching the OCSP response on server start-up so instead the first connection to the server primes the cache that is used for later connections.

This is a fine compromise but what if you really want the first connection to have the benefit too? Well there are two approaches you can take:

  1. Right after you start the server you do a SSL request to prime the cache.
  2. You manually get the ocsp response and plumb it where Nginx is looking for it.

The first model is easy, right after you start your server use the OpenSSL s_client to connect to the server with OCSP stapling enabled  just like I documented in this post, the first request will trigger the retrieval of the OCSP response by Nginx.

The second model can be done before you start the server, you need to find the URI for the OCSP responder, do a OCSP request and populate the Nginx cache manually, this would look something like:

#!/bin/sh
ISSUER_CER=$1
SERVER_CER=$2

URL=$(openssl x509 -in $SERVER_CER -text | grep “OCSP – URI:” | cut -d: -f2,3)

openssl ocsp -noverify -no_nonce -respout ocsp.resp -issuer \
$ISSUER_CER -cert $SERVER_CER -url $URL

Where “ocsp.resp” is whatever file you have configured in Nginx for the “ssl_stapling_file“.

Each approach has its pros and cons, for example with the first approach your execution of the s_client call may not be the first request the server sees, with the second approach if you are using a certificate that doesn’t contain a OCSP pointer and have manually told Nginx where to fetch certificate status from then it won’t work.

It is worth noting you can run this same script in a cron script to ensure your server never needs to hit the wire (and potentially block when doing so) when it tries to keep its OCSP cache up to date.

 

 

5 thoughts on “Priming the OCSP cache in Nginx

  1. Pingback: OCSP Stapling mit NGINX

  2. Kevin

    Thanks for even mentioning this was a thing. I was banging my head against the wall trying to figure out why stapling wasn’t working. All I had to do was load a page before testing!

    Reply
  3. s

    Each stapling works for a limited time:

    > This Update: Jul 19 16:35:30 2015 GMT
    > Next Update: Jul 21 16:35:30 2015 GMT

    Neither of your approaches above solve the problem of automatic update from nginx.
    The alternative is to run a cron job.

    Reply
  4. Pingback: Resolved: Can I make Nginx automatically OCSP staple certificates at reload/restart? - Resolved Problem

Leave a Reply to s Cancel reply

Your email address will not be published. Required fields are marked *