Closed Bug 923887 Opened 7 years ago Closed 4 years ago

Intermittent sec_error_ocsp_old_response on; possible regression from OCSP stapling


(Core :: Security: PSM, defect)

Not set





(Reporter: briansmith, Unassigned)


On two occasions since we enabled OCSP stapling when visiting, I have received the sec_error_ocsp_old_response error. Attempting to load the site again results in no error. I am not sure if this is a problem with the server stapling an old response or if it is a bug with our OCSP stapling implementation.

I will communicate this with the people working on that site by sending them a message on Twitter @CertCouncil.
Brian, I just saw an expired OCSP Response stapled by  I was using (which doesn't use any NSS or PSM code).  Therefore, it looks like this is indeed "a problem with the server stapling an old response".
A flaw in the OCSP stapling code in nginx, it seems:

(should check for an expired response first, and not call ngx_ssl_stapling_update only after having handed out the current/old response)
This was accepted as a bug in Nginx -
Looks like the nginx bug was fixed.
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.