SSL OCSP Commodo Positive Error + HSTS not showed up

ndha · Nov 18, 2015

Hi all,
Today i install 1 of my vps in leaseweb using centminmod 123.08stable,
and i upgrade php to latest, + upgrade curl to custom curl 7.43.0
add vhost using option no.2 with Self Signed SSL and upgrade to Positive SSL after that..
Everything is ok but after i checked with ssllab there is no OCSP response on it + HSTS header not show up, also other header that suggest by centmin..
I had also add OCSP Comodo IP to CSF ignore and allow from this Enable OCSP Stapling on NGINX - Powered by Kayako Help Desk Software
when i use : telnet OCSP.ComodoCA.com 80 it shows : Connection closed by foreign host.
Also HSTS not show when using ssllab.
Help me to solve this

Nginx error log is :
Code:
271 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early) while SSL handshaking, client: 64.41.200.107, server: 0.0.0.0:443
Here is my nginx config :
Code:
server {
    server_name domain www.domain;
    return 301 https://$server_name$request_uri;
  }

  server {
  listen 443 ssl http2;
  server_name domain http://www.domain;']www.domain;

  ssl_dhparam /usr/local/nginx/conf/ssl/domain/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/domain/domain.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain/domain.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  # mozilla recommended
  ssl_ciphers .........
  ssl_prefer_server_ciphers   on;
  add_header Alternate-Protocol  443:npn-spdy/3;
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  add_header X-Content-Type-Options "nosniff";
  add_header X-Frame-Options DENY;
  ssl_buffer_size 1400;
  ssl_session_tickets on;

  # enable ocsp stapling
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain/domain.crt;
.........

eva2000 · Nov 19, 2015

Wrapped your post code into CODE tags so easier to see

self-signed ssl certificates don't have OCSP stapling support that is why it's commented out by default in ssl conf file out of box on self signed SSL vhost generation

To enable OCSP with paid commercial SSL certificate and switch see info and instructions at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

ndha · Nov 19, 2015

eva2000 said: ↑

Wrapped your post code into CODE tags so easier to see

self-signed ssl certificates don't have OCSP stapling support that is why it's commented out by default in ssl conf file out of box on self signed SSL vhost generation

To enable OCSP with paid commercial SSL certificate and switch see info and instructions at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS
Click to expand...

Yes Admin, i'd already using all that instructions, but still, OCSP not respond and HSTS No, check by ssllabs..
I had using Centmin 123.08stable in 3 other vps but still using SPDY on it, still not upgrade Centmin Base..
All 3 using SSL and use your instructions and all is ok with Positive SSL, OCSP Respond, HSTS header YES..
So i'm confuse what's wrong now, all vps with centmin use same setup except last one which is error using Custom Curl 7.43.0.
can you give some light on this
here's is ssllabs :
Code:
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer COMODO RSA Domain Validation Secure Server CA
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency No
Revocation information CRL, OCSP
Revocation status Good (not revoked)
Trusted [B]Yes[/B]
..........
Next Protocol Negotiation (NPN) Yes   h2 http/1.1
Session resumption (caching) Yes
Session resumption (tickets) Yes
OCSP stapling No
Strict Transport Security (HSTS) No

eva2000 · Nov 19, 2015

sometimes ssllab doesn't report it but openssl cli command, testssl and cipherscan all report OCSP working

examples

testssl http://centminmod.com/letsencrypt-freessl.html#testssl4

cipherscan http://centminmod.com/letsencrypt-freessl.html#cipherscan3

le10.http2ssl.xyz | OCSP & CRL Revocation report

best way to check is via command line
Code:
openssl s_client -connect domain.com:443 -tls1 -tlsextdebug -status
look for
Code:
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)?
if you have only some sites using HSTS then make a copy of staticfiles.conf include file and use that copy in the HSTS enabled vhost config includes with following alteration to html location match
Code:
cp -a /usr/local/nginx/conf/staticfiles.conf  /usr/local/nginx/conf/staticfiles-hsts.conf 
edit /usr/local/nginx/conf/staticfiles-hsts.conf copy and change html location match to
Code:
    location ~* \.(html|htm|txt)$ {
    if ($server_https = 'on') {
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    }
  #add_header Pragma public;
  add_header Cache-Control "public, must-revalidate, proxy-revalidate";
  access_log off;
  expires 30m;
  break;
        }
then for specific HSTS enabled vhost config files change include file to use the new copy commenting out the original
Code:
#include /usr/local/nginx/conf/staticfiles.conf;
include /usr/local/nginx/conf/staticfiles-hsts.conf;
should only be done on HSTS enabled vhost sites. HSTS tells browsers to force https so if you site isn't https enabled and you use it, you will get errors that have a long permanent cache in your browsers and visitors browsers for up to 3153600 seconds.

restart nginx and php-fpm
Code:
nprestart

Log in / Register

Forums

Welcome to Centmin Mod Community

SSL OCSP Commodo Positive Error + HSTS not showed up

ndha Member

eva2000 Administrator Staff Member

ndha Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

SSL OCSP Commodo Positive Error + HSTS not showed up

ndha Member

eva2000 Administrator Staff Member

ndha Member

eva2000 Administrator Staff Member

.