Hello!

On Fri, Jan 04, 2019 at 05:57:56AM +0100, ѽ҉ḳ℠ wrote:

> On 04.01.2019 05:35, Maxim Dounin wrote:
>
> The "ssl_stapling_file" directive needs an OCSP response obtained
> from your certificate authority, not a certificate. As you are
> trying to put a certificate instead, parsing expectedly fails.
>
> Thanks for the explanation which was not clear to me from the online
> documentation.

The documentation is pretty clear - it says you need an OCSP
response, and it references appropriate openssl subcommand to
generate one (http://nginx.org/r/ssl_stapling_file):

: When set, the stapled OCSP response will be taken from the specified file
: instead of querying the OCSP responder specified in the server certificate.
:
: The file should be in the DER format as produced by the “openssl ocsp”
: command.

> So basically nginx does not work as an OCSP responder
> for domains with self-signed certificates unless the domain deploys its
> own responder. Too bad as I had hoped that the "ssl_stapling_file"
> directive would be able to process an OSCP certificate rather than a
> response from a responder.

Using OCSP (or any other revocation checking mechanism) with
self-signed certificates simply does not make sense: as long as
the certificate is compromissed, everything signed by this
certificate is compromissed too, including any possible OCSP
responses.

OCSP stapling might make sense if you are instead running an
internal CA and use certificates signed by this CA, but the CA
does not have an OCSP responder configured. In this case, you can
produce an OCSP response using the "openssl ocsp" command. Please
refer to its manual page ("man ocsp") for details.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx