Hi,
Actually, I had the same questions.
Is this something that's available by now, or is it in the pipeline of any new release of Nginx or will it never be?
I'm just asking since I believe this might be a good feature to add since CRL's could get very big when lots of certificate have been revoked, and since it is not a realtime updating mechanism.
By using a OCSP, there is a little overhead of contacting the OCSP for checking each client certificate that is being validated...
I believe this to be much more efficient than regularly downloading/uploading a CRL and reloading Nginx. This process can fail on multiple locations which makes it harder to track and a big disadvantage of the CRL's is that they are not realtime updated, which is the case for OCSP's.
This way revoking a certificate will cause it to immediately retract the access to client certificate secured applications (for all new sessions).
Is it already supported in some version of Nginx or is it planned somewhere in the future?
Many thanks,
Kind regards,
Francis Claessens.