From 3a887f28e828fdae70d25981356014ecc12b72e8 Mon Sep 17 00:00:00 2001 From: Artur Juraszek Date: Tue, 27 Feb 2024 13:56:40 +0000 Subject: [PATCH] Properly support a TLS-wrapped OCSP responder (#10164) Current implementation of OCSP stapling makes use of the DNS caching machinery[^1], which results in resty.http not seeing the actual host name of the OCSP responder. On HTTP level, this is already mitigated via overriding the Host header, but if a given responder operates on a HTTPS endpoint (a setup which, admittedly, isn't very popular due to its chicken-and-egg caveats involved but is nonetheless legal[^2]) the connection will fail to be established. A relevant (and a bit redacted) excerpt from logs: 2023/07/02 18:13:23 [info] 112#112: *29039 [lua] dns.lua:32: cache_set(): cache set for 'my.ocsp.responder' with value of [10.1.2.3, 10.4.5.6, 10.7.8.9] and ttl of 30., context: ngx.timer, client: 127.0.0.1, server: 0.0.0.0:442 2023/07/02 18:13:23 [error] 112#112: *29039 lua ssl certificate does not match host "10.1.2.3", context: ngx.timer, client: 127.0.0.1, server: 0.0.0.0:442 2023/07/02 18:13:23 [error] 112#112: *29039 [lua] certificate.lua:143: fetch_and_cache_ocsp_response(): could not get OCSP response: certificate host mismatch, context: ngx.timer, client: 127.0.0.1, server: 0.0.0.0:442 [^1]: https://github.com/kubernetes/ingress-nginx/blob/ebb6314/rootfs/etc/nginx/lua/certificate.lua#L81 [^2]: https://datatracker.ietf.org/doc/html/rfc2560#appendix-A.1.1 --- rootfs/etc/nginx/lua/certificate.lua | 1 + 1 file changed, 1 insertion(+) diff --git a/rootfs/etc/nginx/lua/certificate.lua b/rootfs/etc/nginx/lua/certificate.lua index 48c8d7134..1b3d3b21f 100644 --- a/rootfs/etc/nginx/lua/certificate.lua +++ b/rootfs/etc/nginx/lua/certificate.lua @@ -103,6 +103,7 @@ local function do_ocsp_request(url, ocsp_request) ["Host"] = parsed_url[2], }, body = ocsp_request, + ssl_server_name = parsed_url[2], }) if not http_response then return nil, err