monkeyDluffy6017
commented
7 months ago Yeah, APISIX is powed by nginx, the ocsp stapling and crl is supported of course
Open chee003 opened 9 months ago
monkeyDluffy6017
commented
7 months ago Yeah, APISIX is powed by nginx, the ocsp stapling and crl is supported of course
chee003
commented
6 months ago Yeah, APISIX is powed by nginx, the ocsp stapling and crl is supported of course
can tell me which version support this and how to enable it in apisix
monkeyDluffy6017
commented
6 months ago you could follow like this: https://support.globalsign.com/ssl/ssl-certificates-installation/nginx-enable-ocsp-stapling
matrixji
commented
6 months ago Co-work with @chee003
From my perspective, the TLS handshake is handled by Lua already. So direct configuration with ssl_stapling on; may not work.
apixis's nginx.conf
ssl_certificate_by_lua_block {
apisix.stream_ssl_phase()
}Which is similar with nginx-ingress's configures:
ssl_certificate_by_lua_block {
certificate.call()
}While in the latest nginx-ingress it has ocsp/ocsp-stapling handling inside certificate.call, but apisix seems missing the handling of oscp request. I'm not sure if it is a good idea to try to port the handling of ocsp from 3rd-party like ingress-nginx. If so we're hoping the feature could be provided from the apisix.
A temp solution may using clinet -> nginx-ingress -> apisix-gateway -> app-beckend, but currently we want just use apisix only(w/o any other ingress/gateway)
yuweizzz
commented
6 months ago maybe need the ngx.ocsp module to support this feature.
monkeyDluffy6017
commented
5 months ago @matrixji @chee003 could you check if this https://github.com/apache/apisix/pull/10817 meet your requirement?
matrixji
commented
5 months ago Outstanding jobs, 👍 I'll try do some local testing with the PR and updates here later.
chee003
commented
4 months ago @matrixji @chee003 could you check if this #10817 meet your requirement?
i open the ocsp plugins,i can find the plugins has loaded from log. when i post a request ,there are errors occur,the log like this:
_2024/02/27 05:54:07 [warn] 53#53: 6 [lua] plugin.lua:205: load(): new plugins: {"ocsp-stapling":true}, context: init_worker_by_lua 2024/02/27 05:54:07 [warn] 52#52: 8 [lua] plugin.lua:235: load(): loaded plugin and sort by priority: -44 name: ocsp-stapling, context: init_worker_by_lua_ ... 2024/02/27 06:20:01 [info] 50#50: 413 [lua] ocsp-stapling.lua:136: set_cert_and_key(): no 'ocsp_stapling' field found, no need to run ocsp-stapling plugin, context: ssl_certificate_by_lua, client: 10.192.37.120, server: 0.0.0.0:9443
i want to ask if this error is my certificate not correct? how i can solve this and if there are some way to config the ocsp url like nginx conf do ? use the properties "ssl_ocsp_responder"
yuweizzz
commented
4 months ago it seem that you don't configure 'ocsp_stapling' field in ssl resource, try this:
curl http://127.0.0.1:9180/apisix/admin/ssls/<id>
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PATCH -d '
{
"ocsp_stapling": {
"enabled": true
}
}'and the doc in here.
chee003
commented
4 months ago it seem that you don't configure 'ocsp_stapling' field in ssl resource, try this:
curl http://127.0.0.1:9180/apisix/admin/ssls/<id> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PATCH -d ' { "ocsp_stapling": { "enabled": true } }'and the doc in here.
i do the post and the error not resolv _echo -n "Q" | openssl s_client -status -connect example.com:9443 -servername example.com 2>&1 | cat_
_2024/02/27 08:42:13 [info] 54#54: 122947 [lua] ocsp-stapling.lua:101: set_ocsp_resp(): not ocsp resp cache found, fetch from ocsp responder, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443 2024/02/27 08:42:13 [info] 54#54: 122947 [lua] ocsp-stapling.lua:50: fetch_ocsp_resp(): fetch ocsp response from remote, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443 2024/02/27 08:42:13 [error] 54#54: 122947 [lua] ocsp-stapling.lua:172: set_cert_and_key(): no ocsp response send: failed to get ocsp url: no issuer certificate in chain, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443_
this is my certificate is not correct?
**_X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AB:32:21:E4:D5:BC:99:12:B7:C7:C0:06:DB:97:D8:C2:49:90:9B:3D
X509v3 Authority Key Identifier:
keyid:B3:18:B5:CB:B8:5F:B6:F9:0F:93:4F:25:41:AD:FC:1E:8B:32:7C:45
Authority Information Access:
OCSP - URI:http://10.10.8.13:25252_**Is this a self signed certificate? try combine you current certificate with your CA certificate like:
cat current.pem CA.pem >> fullchain.pemit's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate
yuweizzz
commented
4 months ago it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate
if you signed by private key directly like this, this plugins may not work:
openssl x509 -req -sha256 -days 365 -in x509.csr -signkey key.pri -out x509.crt ...to make it works, the output certificate needs to signed by CA certificate like:
openssl x509 -req -sha256 -days 365 -in x509.csr -CA ca.crt -CAkey ca.pri -out x509.crt ...and combine x509.crt and CA.crt.
hope this will be helped.
chee003
commented
4 months ago it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate
if you signed by private key directly like this, this plugins may not work:
openssl x509 -req -sha256 -days 365 -in x509.csr -signkey key.pri -out x509.crt ...to make it works, the output certificate needs to signed by CA certificate like:
openssl x509 -req -sha256 -days 365 -in x509.csr -CA ca.crt -CAkey ca.pri -out x509.crt ...and combine x509.crt and CA.crt.
hope this will be helped.
3q,i'll try like this
chee003
commented
4 months ago it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate
if you signed by private key directly like this, this plugins may not work:
openssl x509 -req -sha256 -days 365 -in x509.csr -signkey key.pri -out x509.crt ...to make it works, the output certificate needs to signed by CA certificate like:
openssl x509 -req -sha256 -days 365 -in x509.csr -CA ca.crt -CAkey ca.pri -out x509.crt ...and combine x509.crt and CA.crt.
hope this will be helped.
thank you so much, when i use a valid cetificate,the plugins ocsp is ok here is the log _2024/02/27 11:48:06 [info] 51#51: 316920 [lua] ocsp-stapling.lua:101: set_ocsp_resp(): not ocsp resp cache found, fetch from ocsp responder, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443 2024/02/27 11:48:06 [info] 51#51: 316920 [lua] ocsp-stapling.lua:50: fetch_ocsp_resp(): fetch ocsp response from remote, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443 2024/02/27 11:48:06 [info] 51#51: 316920 [lua] ocsp-stapling.lua:106: set_ocsp_resp(): fetch ocsp resp ok, cache it, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443_
chee003
commented
4 months ago it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate
if you signed by private key directly like this, this plugins may not work:
openssl x509 -req -sha256 -days 365 -in x509.csr -signkey key.pri -out x509.crt ...to make it works, the output certificate needs to signed by CA certificate like:
openssl x509 -req -sha256 -days 365 -in x509.csr -CA ca.crt -CAkey ca.pri -out x509.crt ...and combine x509.crt and CA.crt. hope this will be helped.
3q,i'll try like this
3q @yuweizzz i used
matrixji
commented
4 months ago Seems this OCSP stapling is already verified, great thanks to @yuweizzz this feature helped us a lot.
chee003
commented
2 months ago it seem that you don't configure 'ocsp_stapling' field in ssl resource, try this:
curl http://127.0.0.1:9180/apisix/admin/ssls/<id> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PATCH -d ' { "ocsp_stapling": { "enabled": true } }'and the doc in here.
hello,@yuweizzz ,i have another issue to ask for your help. when apisix enable ocsp, can it support only verify the client certificate and support setting ssl_ocspresponder like nginx configuration,the sample like the following: ssl_ocsp leaf; #leaf means only verify the client certificate ssl_ocsp_responder url; # url can override the extension ocsp url in the certificate,for verify the client certificate_
yuweizzz
commented
2 months ago I afraid not, they need to work with mtls, current design doesn't contains this feature.
chee003
commented
2 months ago apisix already support mtls,the new ocsp feature has been provided in release 3.9.0,the next need to do is to extend the ocsp option like nginx. http://nginx.org/en/docs/http/ngx_http_ssl_module.html
Description
apisix support ocsp stapling or not. and is support crl list?