How to get rid of "No OCSP stapling response received" warning?
I use stunnel to connect to my old "smart" switches from modern browsers. Here is a subset of the configuration for one of the switches. [switch1-frontend] sni = frontend:switch1.penurio.us CAfile = /etc/ipa/ca.crt cert = /etc/pki/tls/certs/stunnel/switch1.crt key = /tmp/keys/switch1.key connect = 127.255.255.254:8081 [switch1-backend] client = yes accept = 127.255.255.254:8081 connect = 172.31.4.1:443 verifyChain = yes checkHost = switch1.penurio.us CAfile = /etc/ipa/ca.crt sslVersion = TLSv1 ciphers = DHE-RSA-AES256-SHA options = ALLOW_UNSAFE_LEGACY_RENEGOTIATION securityLevel = 0 OCSPrequire = no OCSPaia = no Everything works, execept that every connection produces a bright red warning in my log: OCSP: No OCSP stapling response received I've read up on OCSP stapling, that this seems to mean that the switch isn't including an OCSP response in its TLS handshake. (Hardly surprising, given its age.) How can I tell stunnel to not request/expect an OCSP response from the switch (or at least to not log the missing OCSP response as a warning)? -- ======================================================================== If your user interface is intuitive in retrospect ... it isn't intuitive ========================================================================
On 9/23/25 11:27 PM, Ian Pilcher via stunnel-users wrote:
Everything works, execept that every connection produces a bright red warning in my log:
OCSP: No OCSP stapling response received
Good point. It's definitely not a warning nor error. I'll change the log level to INFO in the next release. Best regards, Mike
It would be nice to change log level for "No OCSP stapling response received" messages. However, this looks like it might be a bug. I also encountered the following case: verifyChain = yes checkHost = smtp.mail.eu-west-1.awsapps.com In this setup, no OCSP related options can suppress checking OCSP: OCSPrequire = no OCSPaia = no OCSPflag = NOVERIFY I would suggest to either add an option to disable OCSP checks with verifyChain=yes, or to adjust the behavior of OCSPrequire=no so it does that.
On 9/24/25 5:16 PM, pavel.selivanov@kassa.com wrote:
It would be nice to change log level for "No OCSP stapling response received" messages.
However, this looks like it might be a bug.
I also encountered the following case:
verifyChain = yes checkHost = smtp.mail.eu-west-1.awsapps.com
In this setup, no OCSP related options can suppress checking OCSP:
OCSPrequire = no OCSPaia = no OCSPflag = NOVERIFY
I would suggest to either add an option to disable OCSP checks with verifyChain=yes, or to adjust the behavior of OCSPrequire=no so it does that.
The "No OCSP stapling response received" log message, as its text suggests, only means is that the TLS server did not return stapling. This check is performed before OCSP verification, so it doesn't matter whether a conclusive OCSP response is required, whether OCSP AIA URL will be used, nor whether OCSP signature verification will be performed. A separate issue is that if OCSP stapling was provided by the server *and* the certificate status is V_OCSP_CERTSTATUS_REVOKED then stunnel will reject the connection regardless of its configuration. Best regards, Mike
Thank you for clarification! My mistake, not a bug.
Thank you!
participants (4)
-
arequipeno@gmail.com -
Ian Pilcher
-
Michał Trojnara -
pavel.selivanov@kassa.com