feat: apisix support ocsp stapling or not

[chee003]

Description

apisix support ocsp stapling or not. and is support crl list?

[monkeyDluffy6017]

Yeah, APISIX is powed by nginx, the ocsp stapling and crl is supported of course

[chee003]

Yeah, APISIX is powed by nginx, the ocsp stapling and crl is supported of course

can tell me which version support this and how to enable it in apisix

[monkeyDluffy6017]

you could follow like this: https://support.globalsign.com/ssl/ssl-certificates-installation/nginx-enable-ocsp-stapling

[matrixji]

Co-work with @chee003
From my perspective, the TLS handshake is handled by Lua already. So direct configuration with ssl_stapling on; may not work.

apixis's nginx.conf

        ssl_certificate_by_lua_block {
            apisix.stream_ssl_phase()
        }

Which is similar with nginx-ingress's configures:

                ssl_certificate_by_lua_block {
                        certificate.call()
                }

While in the latest nginx-ingress it has ocsp/ocsp-stapling handling inside certificate.call, but apisix seems missing the handling of oscp request. I'm not sure if it is a good idea to try to port the handling of ocsp from 3rd-party like ingress-nginx. If so we're hoping the feature could be provided from the apisix.

A temp solution may using clinet -> nginx-ingress -> apisix-gateway -> app-beckend, but currently we want just use apisix only(w/o any other ingress/gateway)

[yuweizzz]

maybe need the ngx.ocsp module to support this feature.

[monkeyDluffy6017]

@matrixji @chee003 could you check if this #10817 meet your requirement?

[matrixji]

Outstanding jobs, 👍
I'll try do some local testing with the PR and updates here later.

[chee003]

@matrixji @chee003 could you check if this #10817 meet your requirement?

i open the ocsp plugins，i can find the plugins has loaded from log. when i post a request ，there are errors occur，the log like this:

2024/02/27 05:54:07 [warn] 53#53: 6 [lua] plugin.lua:205: load(): new plugins: {"ocsp-stapling":true}, context: init_worker_by_lua
2024/02/27 05:54:07 [warn] 52#52: 8 [lua] plugin.lua:235: load(): loaded plugin and sort by priority: -44 name: ocsp-stapling, context: init_worker_by_lua
...
2024/02/27 06:20:01 [info] 50#50: 413 [lua] ocsp-stapling.lua:136: set_cert_and_key(): no 'ocsp_stapling' field found, no need to run ocsp-stapling plugin, context: ssl_certificate_by_lua, client: 10.192.37.120, server: 0.0.0.0:9443

i want to ask if this error is my certificate not correct? how i can solve this and if there are some way to config the ocsp url like nginx conf do ? use the properties "ssl_ocsp_responder"

[yuweizzz]

it seem that you don't configure 'ocsp_stapling' field in ssl resource, try this:

curl http://127.0.0.1:9180/apisix/admin/ssls/<id>
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PATCH -d '
{
    "ocsp_stapling": {
        "enabled": true
    }
}'

and the doc in here.

[chee003]

it seem that you don't configure 'ocsp_stapling' field in ssl resource, try this:

curl http://127.0.0.1:9180/apisix/admin/ssls/<id>
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PATCH -d '
{
    "ocsp_stapling": {
        "enabled": true
    }
}'

and the doc in here.

i do the post and the error not resolv
echo -n "Q" | openssl s_client -status -connect example.com:9443 -servername example.com 2>&1 | cat

2024/02/27 08:42:13 [info] 54#54: 122947 [lua] ocsp-stapling.lua:101: set_ocsp_resp(): not ocsp resp cache found, fetch from ocsp responder, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443
2024/02/27 08:42:13 [info] 54#54: 122947 [lua] ocsp-stapling.lua:50: fetch_ocsp_resp(): fetch ocsp response from remote, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443
2024/02/27 08:42:13 [error] 54#54: 122947 [lua] ocsp-stapling.lua:172: set_cert_and_key(): no ocsp response send: failed to get ocsp url: no issuer certificate in chain, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443

this is my certificate is not correct?

    **_X509v3 extensions:
        X509v3 Basic Constraints:
            CA:FALSE
        Netscape Comment:
            OpenSSL Generated Certificate
        X509v3 Subject Key Identifier:
            AB:32:21:E4:D5:BC:99:12:B7:C7:C0:06:DB:97:D8:C2:49:90:9B:3D
        X509v3 Authority Key Identifier:
            keyid:B3:18:B5:CB:B8:5F:B6:F9:0F:93:4F:25:41:AD:FC:1E:8B:32:7C:45

        Authority Information Access:
            OCSP - URI:http://10.10.8.13:25252_**

[yuweizzz]

Is this a self signed certificate? try combine you current certificate with your CA certificate like:

cat current.pem CA.pem >> fullchain.pem

[chee003]

it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate

[yuweizzz]

it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate

if you signed by private key directly like this, this plugins may not work:

openssl x509 -req -sha256 -days 365 -in x509.csr -signkey key.pri -out x509.crt ...

to make it works, the output certificate needs to signed by CA certificate like:

openssl x509 -req -sha256 -days 365 -in x509.csr -CA ca.crt -CAkey ca.pri -out x509.crt ...

and combine x509.crt and CA.crt.

hope this will be helped.

[chee003]

it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate

if you signed by private key directly like this, this plugins may not work:

openssl x509 -req -sha256 -days 365 -in x509.csr -signkey key.pri -out x509.crt ...

to make it works, the output certificate needs to signed by CA certificate like:

openssl x509 -req -sha256 -days 365 -in x509.csr -CA ca.crt -CAkey ca.pri -out x509.crt ...

and combine x509.crt and CA.crt.

hope this will be helped.

3q,i'll try like this

[chee003]

it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate

if you signed by private key directly like this, this plugins may not work:

openssl x509 -req -sha256 -days 365 -in x509.csr -signkey key.pri -out x509.crt ...

to make it works, the output certificate needs to signed by CA certificate like:

openssl x509 -req -sha256 -days 365 -in x509.csr -CA ca.crt -CAkey ca.pri -out x509.crt ...

and combine x509.crt and CA.crt.

hope this will be helped.

thank you so much, when i use a valid cetificate,the plugins ocsp is ok
here is the log
2024/02/27 11:48:06 [info] 51#51: 316920 [lua] ocsp-stapling.lua:101: set_ocsp_resp(): not ocsp resp cache found, fetch from ocsp responder, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443
2024/02/27 11:48:06 [info] 51#51: 316920 [lua] ocsp-stapling.lua:50: fetch_ocsp_resp(): fetch ocsp response from remote, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443
2024/02/27 11:48:06 [info] 51#51: 316920 [lua] ocsp-stapling.lua:106: set_ocsp_resp(): fetch ocsp resp ok, cache it, context: ssl_certificate_by_lua, client: 10.192.8.136, server: 0.0.0.0:9443

[chee003]

it's a self signed certificate,the error still exist.i thought apisix can't get the ocsp url from the certificate

if you signed by private key directly like this, this plugins may not work:

openssl x509 -req -sha256 -days 365 -in x509.csr -signkey key.pri -out x509.crt ...

to make it works, the output certificate needs to signed by CA certificate like:

openssl x509 -req -sha256 -days 365 -in x509.csr -CA ca.crt -CAkey ca.pri -out x509.crt ...

and combine x509.crt and CA.crt.
hope this will be helped.

3q,i'll try like this

3q @yuweizzz i used

[matrixji]

Seems this OCSP stapling is already verified, great thanks to @yuweizzz this feature helped us a lot.

[chee003]

it seem that you don't configure 'ocsp_stapling' field in ssl resource, try this:

curl http://127.0.0.1:9180/apisix/admin/ssls/<id>
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PATCH -d '
{
    "ocsp_stapling": {
        "enabled": true
    }
}'

and the doc in here.

hello，@yuweizzz ,i have another issue to ask for your help.
when apisix enable ocsp, can it support only verify the client certificate and support setting ssl_ocsp_responder like nginx configuration，the sample like the following：
ssl_ocsp leaf; #leaf means only verify the client certificate
ssl_ocsp_responder url; # url can override the extension ocsp url in the certificate,for verify the client certificate

[yuweizzz]

I afraid not, they need to work with mtls, current design doesn't contains this feature.

[chee003]

apisix already support mtls，the new ocsp feature has been provided in release 3.9.0，the next need to do is to extend the ocsp option like nginx.
http://nginx.org/en/docs/http/ngx_http_ssl_module.html