apache
feat: apisix support ocsp stapling or not
Yeah, APISIX is powed by nginx, the ocsp stapling and crl is supported of course
Yeah, APISIX is powed by nginx, the ocsp stapling and crl is supported of course
can tell me which version support this and how to enable it in apisix
you could follow like this: https://support.globalsign.com/ssl/ssl-certificates-installation/nginx-enable-ocsp-stapling
Co-work with @chee003
From my perspective, the TLS handshake is handled by Lua already. So direct configuration with ssl_stapling on; may not work.
apixis's nginx.conf
ssl_certificate_by_lua_block {
apisix.stream_ssl_phase()
}
Which is similar with nginx-ingress's configures:
ssl_certificate_by_lua_block {
certificate.call()
}
While in the latest nginx-ingress it has ocsp/ocsp-stapling handling inside certificate.call, but apisix seems missing the handling of oscp request. I'm not sure if it is a good idea to try to port the handling of ocsp from 3rd-party like ingress-nginx. If so we're hoping the feature could be provided from the apisix.
A temp solution may using clinet -> nginx-ingress -> apisix-gateway -> app-beckend, but currently we want just use apisix only(w/o any other ingress/gateway)
@matrixji @chee003 could you check if this https://github.com/apache/apisix/pull/10817 meet your requirement?
Outstanding jobs, 👍 I'll try do some local testing with the PR and updates here later.
@matrixji @chee003 could you check if this #10817 meet your requirement?
i open the ocsp plugins,i can find the plugins has loaded from log. when i post a request ,there are errors occur,the log like this:
2024/02/27 05:54:07 [warn] 53#53: 6 [lua] plugin.lua:205: load(): new plugins: {"ocsp-stapling":true}, context: init_worker_by_lua 2024/02/27 05:54:07 [warn] 52#52: 8 [lua] plugin.lua:235: load(): loaded plugin and sort by priority: -44 name: ocsp-stapling, context: init_worker_by_lua ... 2024/02/27 06:20:01 [info] 50#50: 413 [lua] ocsp-stapling.lua:136: set_cert_and_key(): no 'ocsp_stapling' field found, no need to run ocsp-stapling plugin, context: ssl_certificate_by_lua, client: 10.192.37.120, server: 0.0.0.0:9443
i want to ask if this error is my certificate not correct? how i can solve this and if there are some way to config the ocsp url like nginx conf do ? use the properties "ssl_ocsp_responder"
it seem that you don't configure 'ocsp_stapling' field in ssl resource, try this:
curl http://127.0.0.1:9180/apisix/admin/ssls/<id>
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PATCH -d '
{
"ocsp_stapling": {
"enabled": true
}
}'
and the doc in here.
it seem that you don't configure 'ocsp_stapling' field in ssl resource, try this:
curl http://127.0.0.1:9180/apisix/admin/ssls/<id> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PATCH -d ' { "ocsp_stapling": { "enabled": true } }'and the doc in here.
i do the post and the error not resolv echo -n "Q" | openssl s_client -status -connect example.com:9443 -servername example.com 2>&1 | cat
2024/02/27 08:42:13 [info] 54#54: 122947 [lua] ocsp-stapling.lua:101: set_ocsp_resp(): not ocsp resp cache found, fetch from ocsp responder, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443 2024/02/27 08:42:13 [info] 54#54: 122947 [lua] ocsp-stapling.lua:50: fetch_ocsp_resp(): fetch ocsp response from remote, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443 2024/02/27 08:42:13 [error] 54#54: 122947 [lua] ocsp-stapling.lua:172: set_cert_and_key(): no ocsp response send: failed to get ocsp url: no issuer certificate in chain, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443
this is my certificate is not correct?
**_X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AB:32:21:E4:D5:BC:99:12:B7:C7:C0:06:DB:97:D8:C2:49:90:9B:3D
X509v3 Authority Key Identifier:
keyid:B3:18:B5:CB:B8:5F:B6:F9:0F:93:4F:25:41:AD:FC:1E:8B:32:7C:45
Authority Information Access:
OCSP - URI:http://10.10.8.13:25252_**
Is this a self signed certificate? try combine you current certificate with your CA certificate like:
cat current.pem CA.pem >> fullchain.pem
it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate
it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate
if you signed by private key directly like this, this plugins may not work:
openssl x509 -req -sha256 -days 365 -in x509.csr -signkey key.pri -out x509.crt ...
to make it works, the output certificate needs to signed by CA certificate like:
openssl x509 -req -sha256 -days 365 -in x509.csr -CA ca.crt -CAkey ca.pri -out x509.crt ...
and combine x509.crt and CA.crt.
hope this will be helped.
it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate
if you signed by private key directly like this, this plugins may not work:
openssl x509 -req -sha256 -days 365 -in x509.csr -signkey key.pri -out x509.crt ...to make it works, the output certificate needs to signed by CA certificate like:
openssl x509 -req -sha256 -days 365 -in x509.csr -CA ca.crt -CAkey ca.pri -out x509.crt ...and combine x509.crt and CA.crt.
hope this will be helped.
3q,i'll try like this
it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate
if you signed by private key directly like this, this plugins may not work:
openssl x509 -req -sha256 -days 365 -in x509.csr -signkey key.pri -out x509.crt ...to make it works, the output certificate needs to signed by CA certificate like:
openssl x509 -req -sha256 -days 365 -in x509.csr -CA ca.crt -CAkey ca.pri -out x509.crt ...and combine x509.crt and CA.crt.
hope this will be helped.
thank you so much, when i use a valid cetificate,the plugins ocsp is ok here is the log 2024/02/27 11:48:06 [info] 51#51: 316920 [lua] ocsp-stapling.lua:101: set_ocsp_resp(): not ocsp resp cache found, fetch from ocsp responder, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443 2024/02/27 11:48:06 [info] 51#51: 316920 [lua] ocsp-stapling.lua:50: fetch_ocsp_resp(): fetch ocsp response from remote, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443 2024/02/27 11:48:06 [info] 51#51: 316920 [lua] ocsp-stapling.lua:106: set_ocsp_resp(): fetch ocsp resp ok, cache it, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443
it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate
if you signed by private key directly like this, this plugins may not work:
openssl x509 -req -sha256 -days 365 -in x509.csr -signkey key.pri -out x509.crt ...to make it works, the output certificate needs to signed by CA certificate like:
openssl x509 -req -sha256 -days 365 -in x509.csr -CA ca.crt -CAkey ca.pri -out x509.crt ...and combine x509.crt and CA.crt. hope this will be helped.
3q,i'll try like this
3q @yuweizzz i used
Seems this OCSP stapling is already verified, great thanks to @yuweizzz this feature helped us a lot.
it seem that you don't configure 'ocsp_stapling' field in ssl resource, try this:
curl http://127.0.0.1:9180/apisix/admin/ssls/<id> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PATCH -d ' { "ocsp_stapling": { "enabled": true } }'and the doc in here.
hello,@yuweizzz ,i have another issue to ask for your help. when apisix enable ocsp, can it support only verify the client certificate and support setting ssl_ocsp_responder like nginx configuration,the sample like the following: ssl_ocsp leaf; #leaf means only verify the client certificate ssl_ocsp_responder url; # url can override the extension ocsp url in the certificate,for verify the client certificate
I afraid not, they need to work with mtls, current design doesn't contains this feature.
apisix already support mtls,the new ocsp feature has been provided in release 3.9.0,the next need to do is to extend the ocsp option like nginx. http://nginx.org/en/docs/http/ngx_http_ssl_module.html