Welcome! Log In Create A New Profile


ssl_ocsp and ssl_crl: enable if available

Posted by spa84 
ssl_ocsp and ssl_crl: enable if available
April 03, 2024 08:08PM
I have a server that supports multiple CA chains. The old CA neither has CRL enabled, nor “Authority Information Access”(AIA) certificate extension in the issued certificates. The new chain has both enabled.

When I tried to enable CRL or OCSP check, I found that it broke the SSL verification for the old CA chain. There is no way to enable CRL/OCSP for only the new CA chain.

When the NGINX option "ssl_ocsp" is enabled(with "on" or "leaf"), the cert OCSP responder URL is picked up from the “Authority Information Access”(AIA) certificate extension. For the certs issued by an old chain, since the “Authority Information Access”(AIA) is missing in the cert, the verification fails with "FAILED:certificate status request failed". Based on the code, the "ssl_ocsp_responder" option also requires AIA.

The same behavior exists with "ssl_crl". When enabled, it requires CRL for all the CA chains. It cannot be enabled for new CA chains only.

For both "ssl_ocsp" and "ssl_crl", it would be great to have the option to say "use OCSP if the certificate has AIA and ignore otherwise" or "check CRL if it is available for a given CA chain, otherwise ignore".
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 194
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready