On two occasions since we enabled OCSP stapling when visiting https://casecurity.org/, I have received the sec_error_ocsp_old_response error. Attempting to load the site again results in no error. I am not sure if this is a problem with the server stapling an old response or if it is a bug with our OCSP stapling implementation. I will communicate this with the people working on that site by sending them a message on Twitter @CertCouncil.
Brian, I just saw an expired OCSP Response stapled by casecurity.org. I was using https://sslanalyzer.comodoca.com/?url=casecurity.org (which doesn't use any NSS or PSM code). Therefore, it looks like this is indeed "a problem with the server stapling an old response".
A flaw in the OCSP stapling code in nginx, it seems: http://trac.nginx.org/nginx/browser/nginx/src/event/ngx_event_openssl_stapling.c#L449 (should check for an expired response first, and not call ngx_ssl_stapling_update only after having handed out the current/old response)
This was accepted as a bug in Nginx - http://trac.nginx.org/nginx/ticket/425
Looks like the nginx bug was fixed.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.