Hello!

On Tue, Sep 26, 2017 at 05:24:26PM +0200, Grzegorz Kulewski wrote:

> W dniu 26.09.2017 15:20, Maxim Dounin pisze:
> > Hello!
> >
> > On Tue, Sep 26, 2017 at 03:48:57AM +0200, Grzegorz Kulewski
> > wrote:
> >
> >> Is resolver in nginx still needed for OCSP stapling?
> >
> > Yes.
> >
> >> I am getting a warning from nginx if resolver is not supplied
> >> but at the same time both Qualys and openssl s_client output
> >> suggest OCSP stapling is working. Strange.
> >
> > The warning means that nginx will use IP addresses of the OCSP
> > responder obtained during configuration parsing, and it won't
> > be able to switch to different IP addresses. That is,
> > everything will work unless OCSP responder will be moved to
> > different IP addresses.
>
> Thank you very much for this explanation.
>
> I know that this behavior is compatible with proxy_pass
> resolving policy but wouldn't it be better to fail fast in this
> scenario? Doing what nginx is currently doing is bound to
> surprise some people, especially if must staple is used.

Even if implemented (this is probably won't be trivial for various
reasons), this will limit functionality if you don't have a DNS
server on hand and nevertheless want to use OCSP stapling,
assuming IP addresses won't change fast enough, or you are using
an IP address of an OCSP responder.

As for must staple, it was discussed more than once that must
staple requirements are quite different from ones needed for OCSP
stapling as an optimization technique as implemented in nginx.

> If you think it's not possible to change it then maybe the
> warning can be improved to say exactly what you said?

Looks a little bit long for a warning to me.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx