On Wed, Sep 29, 2021 at 9:24 PM Maxim Dounin <mdounin@mdounin.ru> wrote:
>
> Hello!
>
> On Wed, Sep 29, 2021 at 12:47:58PM +0800, Jeffrey 'jf' Lim wrote:
>
> > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
> > has a note about not needing 'ssl_trusted_certificate' if
> > ssl_certificate has intermediate certificates. I do not see a similar
> > note for ssl_stapling_verify
> > (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify)
> > though. Is this also the same?
>
> No. To verify OCSP response OpenSSL needs a full chain up to a
> trusted root certificate.
>
Ok. I am reading the description for ssl_stapling again, and am
wanting to clarify a few things.
if "ssl_stapling on":
if the certificate of the server certificate issuer is present in
<ssl_certificate>, we do not need to have <ssl_trusted_certificate>
otherwise <ssl_trusted_certificate> must have the certificate of the
server certificate issuer
if "ssl_stapling_verify on":
if <ssl_certificate> has the full chain, we *still* need
<ssl_trusted_certificate>
Is my understanding correct?
thanks,
-jf
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx