jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

OCSP: do not set must-staple in certificate request

Browse Source 
On first visit in firefox, must-staple certs (unlike chrome which ignores must-staple) always fail.
Investigating, it turns out, nginx does not fetch OCSP responses on reload or restart - https://trac.nginx.org/nginx/ticket/812 .
So, one has to prime the OCSP cache using curl requests. Alternately, one can use `openssl ocsp -noverify -no_nonce` and
then set `ssl_stapling_file`. Both approaches won't work if the OCSP servers are down and then we have to have some retry logic.
Also, the cache is per nginx worker, so I have no clue how many times one has to call curl. The `ssl_stapling_file` approach
requires some refresh logic as well. All very messy.

For the moment, do not set must-staple in the cert. Instead, check if the cert has a CSP URL and then enable
stapling in nginx accordingly.
This commit is contained in:
Girish Ramakrishnan
2021-04-16 13:33:32 -07:00
parent 4d919127a7
commit 7a7223a261
2 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/reverseproxy.js
View File

@@ -102,10 +102,11 @@ function isExpiringSync(certFilePath, hours) {
return result.status === 1; // 1 - expired 0 - not expired
}
function hasOCSPStapleSync(certFilePath) {
if (safe.child_process.execSync(`openssl x509 -text -noout -in ${certFilePath} | grep -q status_request`)) return true;
return false;
// We used to check for the must-staple in the cert using openssl x509 -text -noout -in ${certFilePath} | grep -q status_request
// however, we cannot set the must-staple because first request to nginx fails because of it's OCSP caching behavior
function hasOCSPUriSync(certFilePath) {
const result = safe.child_process.execSync(`openssl x509 -in ${certFilePath} -noout -ocsp_uri`, { encoding: 'utf8' });
return result && result.length > 0; // no error and has uri
}
// checks if the certificate matches the options provided by user (like wildcard, le-staging etc)
@@ -398,7 +399,7 @@ function writeDashboardNginxConfig(bundle, configFileName, vhost, callback) {
keyFilePath: bundle.keyFilePath,
robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n'),
proxyAuth: { enabled: false, id: null, location: nginxLocation('/') },
ocsp: hasOCSPStapleSync(bundle.certFilePath)
ocsp: hasOCSPUriSync(bundle.certFilePath)
};
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
const nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, configFileName);
@@ -482,7 +483,7 @@ function writeAppNginxConfig(app, fqdn, bundle, callback) {
location: nginxLocation(safe.query(app.manifest, 'addons.proxyAuth.path') || '/')
},
httpPaths: app.manifest.httpPaths || {},
ocsp: hasOCSPStapleSync(bundle.certFilePath)
ocsp: hasOCSPUriSync(bundle.certFilePath)
};
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
@@ -516,7 +517,7 @@ function writeAppRedirectNginxConfig(app, fqdn, bundle, callback) {
cspQuoted: null,
hideHeaders: [],
proxyAuth: { enabled: false, id: app.id, location: nginxLocation('/') },
ocsp: hasOCSPStapleSync(bundle.certFilePath)
ocsp: hasOCSPUriSync(bundle.certFilePath)
};
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);