Join the community today
Register Now

SSL OCSP Commodo Positive Error + HSTS not showed up

Discussion in 'Domains, DNS, Email & SSL Certificates' started by ndha, Nov 18, 2015.

Tags:
  1. ndha

    ndha Member

    52
    9
    8
    Sep 28, 2014
    Ratings:
    +22
    Local Time:
    4:39 PM
    Latest
    10
    Hi all,
    Today i install 1 of my vps in leaseweb using centminmod 123.08stable,
    and i upgrade php to latest, + upgrade curl to custom curl 7.43.0
    add vhost using option no.2 with Self Signed SSL and upgrade to Positive SSL after that..
    Everything is ok but after i checked with ssllab there is no OCSP response on it + HSTS header not show up, also other header that suggest by centmin..
    I had also add OCSP Comodo IP to CSF ignore and allow from this Enable OCSP Stapling on NGINX - Powered by Kayako Help Desk Software
    when i use : telnet OCSP.ComodoCA.com 80 it shows : Connection closed by foreign host.
    Also HSTS not show when using ssllab.
    Help me to solve this :D

    Nginx error log is :
    Code:
    271 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early) while SSL handshaking, client: 64.41.200.107, server: 0.0.0.0:443
    
    Here is my nginx config :
    Code:
    server {
        server_name domain www.domain;
        return 301 https://$server_name$request_uri;
      }
    
      server {
      listen 443 ssl http2;
      server_name domain http://www.domain;']www.domain;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain/domain.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain/domain.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers .........
      ssl_prefer_server_ciphers   on;
      add_header Alternate-Protocol  443:npn-spdy/3;
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      add_header X-Content-Type-Options "nosniff";
      add_header X-Frame-Options DENY;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      ssl_stapling on;
      ssl_stapling_verify on;
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain/domain.crt;
    .........
    

     
    Last edited by a moderator: Nov 19, 2015
  2. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    7:39 PM
    Nginx 1.13.x
    MariaDB 5.5
    Wrapped your post code into CODE tags so easier to see ;)

    self-signed ssl certificates don't have OCSP stapling support that is why it's commented out by default in ssl conf file out of box on self signed SSL vhost generation ;)

    To enable OCSP with paid commercial SSL certificate and switch see info and instructions at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS
     
  3. ndha

    ndha Member

    52
    9
    8
    Sep 28, 2014
    Ratings:
    +22
    Local Time:
    4:39 PM
    Latest
    10
    Yes Admin, i'd already using all that instructions, but still, OCSP not respond and HSTS No, check by ssllabs..
    I had using Centmin 123.08stable in 3 other vps but still using SPDY on it, still not upgrade Centmin Base..
    All 3 using SSL and use your instructions and all is ok with Positive SSL, OCSP Respond, HSTS header YES..
    So i'm confuse what's wrong now, all vps with centmin use same setup except last one which is error using Custom Curl 7.43.0.
    can you give some light on this :)
    here's is ssllabs :
    Code:
    Key RSA 2048 bits (e 65537)
    Weak key (Debian) No
    Issuer COMODO RSA Domain Validation Secure Server CA
    Signature algorithm SHA256withRSA
    Extended Validation No
    Certificate Transparency No
    Revocation information CRL, OCSP
    Revocation status Good (not revoked)
    Trusted [B]Yes[/B]
    ..........
    Next Protocol Negotiation (NPN) Yes   h2 http/1.1
    Session resumption (caching) Yes
    Session resumption (tickets) Yes
    OCSP stapling No
    Strict Transport Security (HSTS) No
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    7:39 PM
    Nginx 1.13.x
    MariaDB 5.5
    sometimes ssllab doesn't report it but openssl cli command, testssl and cipherscan all report OCSP working

    examples
    best way to check is via command line
    Code:
    openssl s_client -connect domain.com:443 -tls1 -tlsextdebug -status
    
    look for
    Code:
    OCSP response:
    ======================================
    OCSP Response Data:
    OCSP Response Status: successful (0x0)?
    
    if you have only some sites using HSTS then make a copy of staticfiles.conf include file and use that copy in the HSTS enabled vhost config includes with following alteration to html location match

    Code:
    cp -a /usr/local/nginx/conf/staticfiles.conf  /usr/local/nginx/conf/staticfiles-hsts.conf 
    edit /usr/local/nginx/conf/staticfiles-hsts.conf copy and change html location match to
    Code:
        location ~* \.(html|htm|txt)$ {
        if ($server_https = 'on') {
            add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
        }
      #add_header Pragma public;
      add_header Cache-Control "public, must-revalidate, proxy-revalidate";
      access_log off;
      expires 30m;
      break;
            }
    then for specific HSTS enabled vhost config files change include file to use the new copy commenting out the original
    Code:
    #include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/staticfiles-hsts.conf;
    should only be done on HSTS enabled vhost sites. HSTS tells browsers to force https so if you site isn't https enabled and you use it, you will get errors that have a long permanent cache in your browsers and visitors browsers for up to 3153600 seconds.

    restart nginx and php-fpm

    Code:
    nprestart
     
    Last edited: Nov 19, 2015
    • Like Like x 1