Pages

Tuesday, 21 April 2020

OCSP Stapling的两个问题

什么是OCSP Stapling

OCSP装订(OCSP Stapling),也称OCSP封套,是一个TLS证书状态查询扩展,作为在线证书状态协议的代替方法对X.509证书状态进行查询,目的是让证书使用者(例如浏览器)如何知道一个证书是否有效(证书颁发者有时候需要作废某些证书)。OCSP 响应本身经过了数字签名,无法伪造,所以 OCSP Stapling 技术既提高了握手效率,也不会影响安全性。
服务器在TLS握手时可以发送事先缓存的OCSP响应,用户只需验证该响应的有效性而不用再向数字证书认证机构(CA)发送请求。

问题及解决办法

I. 获取OCSP Response问题

将子证书、中间证书、根证书按照从上到下的顺序保存为urdomain.com.full,中间证书保存为intermediate.pem,子证书保存为 urdomain.com.crt,用下列命令获取OCSP Response:
    openssl ocsp -CAfile urdomain.com.full -issuer intermediate.pem -cert urdomain.com.crt -no_nonce -text -url http://ocsp2.globalsign.com/gsalphasha2g2
得到错误提示Code=403,Reason=Forbidden:
    OCSP Request Data:
        Version: 1 (0x0)
        Requestor List:
            Certificate ID:
              Hash Algorithm: sha1
              Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
              Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
              Serial Number: 156DFA2C6AB1204B407F919D
    Error querying OCSP responsder
    140594576742304:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=403,Reason=Forbidden
原因是部分证书的OCSP Response需要指定HOST,所以将获取OCSP Response的命令加上HOST问题就解决了。
    openssl ocsp -CAfile urdomain.com.full -issuer intermediate.pem -cert urdomain.com.crt -no_nonce -text -url http://ocsp2.globalsign.com/gsalphasha2g2 -header "HOST" "ocsp2.globalsign.com"
    OCSP Request Data:
        Version: 1 (0x0)
        Requestor List:
            Certificate ID:
              Hash Algorithm: sha1
              Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
              Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
              Serial Number: 156DFA2C6AB1204B407F919D
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: EE5EFFFE85DB26C626FBD3698410AD1D0DD3EF58
        Produced At: Aug 26 22:35:16 2017 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
          Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
          Serial Number: 156DFA2C6AB1204B407F919D
        Cert Status: good
        This Update: Aug 26 22:35:16 2017 GMT
        Next Update: Aug 30 22:35:16 2017 GMT
    ...

II. Nginx域名解析问题

翻阅Nginx错误日志,发现有大量域名无法解析的错误提示:
ocsp2.globalsign.com could not be resolved (2: Server failure) while
requesting certificate status, responder: ocsp2.globalsign.com
ocsp2.globalsign.com could not be resolved (110: Operation timed out)
while requesting certificate status, responder: ocsp2.globalsign.com
错误中导致的域名无法解析的原因有两个:“2: Server failure”和“110: Operation timed out”,Nginx中的相关配置如下:
    resolver 10.143.22.116;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/urdomain.com.full;    ssl_certificate /etc/nginx/urdomain.com.crt;    ssl_certificate_key /etc/nginx/urdomain.com.key;
看上去应该没有问题,而且在Bash中可以ping通ocsp2.globalsign.com域名,且用openssl能够获取OCSP Response,在这里卡了一段时间,最后终于发现是IPv6导致的问题。在nginx配置中加上关掉resolver的IPv6解析指令即可解决问题。
    resolver 10.143.22.116:53 ipv6=off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/urdomain.com.full;    ssl_certificate /etc/nginx/urdomain.com.crt;    ssl_certificate_key /etc/nginx/urdomain.com.key;

OCSP常用openssl命令

  • 检测服务端是否开启OCSP response
    openssl s_client -connect urdomain.com:443 -servername urdomain.com -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"
以下显示为成功开启:
OCSP response: OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
以下显示为未开启:
OCSP response: no response sent
  • 验证证书的Common Name
    openssl x509 -in urdomain.com.crt -noout -subject
  • 获取证书的 OCSP 服务地址
    openssl x509 -in urdomain.com.crt -noout -ocsp_uri

No comments:

Post a Comment