diff --git a/CHANGES b/CHANGES index 6d7acb65b..86a4ca313 100644 --- a/CHANGES +++ b/CHANGES @@ -2962,4 +2962,5 @@ * backups: multiple backup targets * port bindings: add `enabledByDefault` property in manifest * backups: store integrity information and perform validation +* reverse proxy: remove OCSP support. this is being deprecated in favor of CRLs diff --git a/src/acme2.js b/src/acme2.js index f41a01621..c49f334df 100644 --- a/src/acme2.js +++ b/src/acme2.js @@ -329,8 +329,6 @@ Acme2.prototype.createCsr = async function (key) { const keyFilePath = path.join(tmpdir, 'key'); if (!safe.fs.writeFileSync(keyFilePath, key)) throw new BoxError(BoxError.FS_ERROR, `Failed to write key file: ${safe.error.message}`); - // OCSP must-staple is currently disabled because nginx does not provide staple on the first request (https://forum.cloudron.io/topic/4917/ocsp-stapling-for-tls-ssl/) - // ' -addext "tlsfeature = status_request"'; // this adds OCSP must-staple // we used to use -addext to the CLI to add these but that arg doesn't work on Ubuntu 16.04 // empty distinguished_name section is required for Ubuntu 16 openssl let conf = '[req]\nreq_extensions = v3_req\ndistinguished_name = req_distinguished_name\n' diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs index 062383392..d92f6ba1f 100644 --- a/src/nginxconfig.ejs +++ b/src/nginxconfig.ejs @@ -104,12 +104,6 @@ server { add_header Strict-Transport-Security "max-age=63072000"; <% } -%> - <% if ( ocsp ) { -%> - # OCSP. LE certs are generated with must-staple flag so clients can enforce OCSP - ssl_stapling on; - ssl_stapling_verify on; - <% } %> - # https://github.com/twitter/secureheaders # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix # https://wiki.mozilla.org/Security/Guidelines/Web_Security diff --git a/src/reverseproxy.js b/src/reverseproxy.js index 0ee688cbf..93af0f70f 100644 --- a/src/reverseproxy.js +++ b/src/reverseproxy.js @@ -91,22 +91,6 @@ async function getCertificateDates(cert) { return { startDate: notBeforeDate, endDate: notAfterDate }; } -async function getReverseProxyConfig() { - const value = await settings.getJson(settings.REVERSE_PROXY_CONFIG_KEY); - return value || { ocsp: true }; -} - -async function isOcspEnabled(certFilePath) { - // on some servers, OCSP does not work. see #796 - const config = await getReverseProxyConfig(); - if (!config.ocsp) return false; - - // We used to check for the must-staple in the cert using openssl x509 -text -noout -in ${certFilePath} | grep -q status_request - // however, we cannot set the must-staple because first request to nginx fails because of it's OCSP caching behavior - const [error, result] = await safe(shell.spawn('openssl', ['x509', '-in', certFilePath, '-noout', '-ocsp_uri'], { encoding: 'utf8' })); - return !error && result.length > 0; // no error and has uri -} - // checks if the certificate matches the options provided by user (like wildcard, le-staging etc) async function providerMatches(domainObject, cert) { assert.strictEqual(typeof domainObject, 'object'); @@ -457,7 +441,6 @@ async function writeDashboardNginxConfig(vhost, certificatePath) { keyFilePath: certificatePath.keyFilePath, robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n'), proxyAuth: { enabled: false, id: null, location: nginxLocation('/') }, - ocsp: await isOcspEnabled(certificatePath.certFilePath), hstsPreload: false }; const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data); @@ -516,7 +499,6 @@ async function writeAppLocationNginxConfig(app, location, certificatePath) { hideHeaders: [], proxyAuth: { enabled: false }, upstreamUri: '', // only for endpoint === external - ocsp: await isOcspEnabled(certificatePath.certFilePath), hstsPreload: !!app.reverseProxyConfig?.hstsPreload }; @@ -751,7 +733,6 @@ async function writeDefaultConfig(options) { keyFilePath, robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n'), proxyAuth: { enabled: false, id: null, location: nginxLocation('/') }, - ocsp: false, // self-signed cert hstsPreload: false }; const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);