Open natsl05164 opened 1 year ago
Tests are failing with:
2023-09-17T12:10:13.7923577Z 2023/09/17 12:10:13 [notice] 1#1: using boringssl, currently only "ssl_stapling_file" is supported. use it as your own risk
2023-09-17T12:10:13.7928916Z 2023/09/17 12:10:13 [emerg] 1#1: BIO_new_file("/path/to/ocsp.resp") failed (SSL: error:02000002:system library:OPENSSL_internal:No such file or directory:fopen('/path/to/ocsp.resp','r') error:1100006e:BIO routines:OPENSSL_internal:NO_SUCH_FILE)
I do not think that the approach with the cronjob setup will work for most users of this container. Hence...
Dockerfile
.ssl_stapling_file /path/to/ocsp.resp;
field from the test config.tests/oscp.cron.sh
file content to a README file describing how to set up the OCSP stapling (i.e. obtaining the OCSP reply from the certificate issuer).
Ran the dockerfile with the KN007 Enable_BoringSSL_OCSP.patch without error. However i didn't make a test on real https domain.. The KN007 patch is It adds OCSP stapling support for BoringSSL to Nginx using the ssl_stapling_file parameter. However the ssl_stapling_file (/path/to/ocsp.resp) needs to be renewed from the issuer site every fixed duration and the response will be saved to (/path/to/ocsp.resp) which is what the cron job does. You may see the details given on KN007's blog https://kn007.net/topics/let-nginx-support-ocsp-stapling-when-using-boringssl/. Thanks