Did some analysis on ocsp project, this is the knowledge that you might want to know.
ocsp server
- vassg142.ocsp.omniroot.com CyberTrust via Verizon using Akamai
dig vassg142.ocsp.omniroot.com @8.8.8.8
; <<>> DiG 9.8.3-P1 <<>> vassg142.ocsp.omniroot.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34278
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;vassg142.ocsp.omniroot.com. IN A
;; ANSWER SECTION:
vassg142.ocsp.omniroot.com. 264 IN CNAME vassg.omniroot.com.edgesuite.net.
vassg.omniroot.com.edgesuite.net. 21070 IN CNAME a1158.b.akamai.net.
a1158.b.akamai.net. 19 IN A 184.51.0.11
a1158.b.akamai.net. 19 IN A 184.51.0.27
;; Query time: 69 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Oct 28 17:11:59 2015
;; MSG SIZE rcvd: 151
- ocsp.digicert.com digicert using Edgecast(Verizon)
dig ocsp.digicert.com @8.8.8.8
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> ocsp.digicert.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1034
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ocsp.digicert.com. IN A
;; ANSWER SECTION:
ocsp.digicert.com. 8578 IN CNAME cs9.wac.phicdn.net.
cs9.wac.phicdn.net. 1403 IN A 72.21.91.29
;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 29 00:14:38 2015
;; MSG SIZE rcvd: 83
- ocsp.comodoca.com comodo no CDN
dig ocsp.comodoca.com @8.8.8.8
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> ocsp.comodoca.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18036
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ocsp.comodoca.com. IN A
;; ANSWER SECTION:
ocsp.comodoca.com. 60 IN A 178.255.83.1
;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 29 00:18:55 2015
;; MSG SIZE rcvd: 51
how nginx work with ocsp
I made a script to tell the detail nginx like behavior.
#!/bin/bash
site=$1
server=$site
crtfile="/tmp/${site}.crt"
chainfile="/tmp/${site}.ca.crt"
respfile="${site}.resp"
reqfile="/tmp/${site}.req"
tmpfile="/tmp/tmp"
openssl s_client -connect ${server}:443 -servername $site 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > $crtfile
cat $crtfile|head -n -1|tail -n+2 >$tmpfile
url=`openssl x509 -noout -ocsp_uri -in $crtfile`
openssl s_client -connect ${server}:443 -servername $site -showcerts 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | grep -v -f $tmpfile | tail -n+2 > $chainfile
host=`echo $url|awk -F'/' '{ print $3 }'`
echo "ocsp url: $url"
openssl ocsp -noverify -issuer $chainfile -cert $crtfile -respout $respfile -reqout $reqfile -url $url
b64=`cat $reqfile|base64|tr -d '
'`
echo "b64: $b64"
requri=`echo -n $b64|perl -p -e 's/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg'`
requrl="$url/$requri"
echo "get resp via url : $requrl"
curl -IXGET $requrl
echo "nginx ssl_stapling_file : $respfile"
If nginx able to get $requrl then it would work. So you able to use CDN host ocsp server. Then use your own DNS inside nginx. If you use openssl ocsp with -host $CDNIP you will get fail. Guess this is because other information need provide from CDN server.
Warning: From my experience, nginx ssl_stapling_file will note update after ocsp response expired