Welcome! Log In Create A New Profile

Advanced

Re: ssl_stapling_verify: do we need 'ssl_trusted_certificate' if the intermediate certs are present in ssl_certificate?

Jeffrey 'jf' Lim
October 06, 2021 11:14PM
On Wed, Sep 29, 2021 at 9:42 PM Jeffrey 'jf' Lim <jfs.world@gmail.com> wrote:
>
> On Wed, Sep 29, 2021 at 9:24 PM Maxim Dounin <mdounin@mdounin.ru> wrote:
> >
> > Hello!
> >
> > On Wed, Sep 29, 2021 at 12:47:58PM +0800, Jeffrey 'jf' Lim wrote:
> >
> > > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
> > > has a note about not needing 'ssl_trusted_certificate' if
> > > ssl_certificate has intermediate certificates. I do not see a similar
> > > note for ssl_stapling_verify
> > > (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify)
> > > though. Is this also the same?
> >
> > No. To verify OCSP response OpenSSL needs a full chain up to a
> > trusted root certificate.
> >
>
> Ok. I am reading the description for ssl_stapling again, and am
> wanting to clarify a few things.
>
> if "ssl_stapling on":
> if the certificate of the server certificate issuer is present in
> <ssl_certificate>, we do not need to have <ssl_trusted_certificate>
> otherwise <ssl_trusted_certificate> must have the certificate of the
> server certificate issuer
>
> if "ssl_stapling_verify on":
> if <ssl_certificate> has the full chain, we *still* need
> <ssl_trusted_certificate>
>
> Is my understanding correct?
>

sorry, but can I get a clarification on whether my understanding is correct?

thanks,
-jf
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

ssl_stapling_verify: do we need 'ssl_trusted_certificate' if the intermediate certs are present in ssl_certificate?

Jeffrey 'jf' Lim September 29, 2021 12:50AM

Re: ssl_stapling_verify: do we need 'ssl_trusted_certificate' if the intermediate certs are present in ssl_certificate?

Maxim Dounin September 29, 2021 09:26AM

Re: ssl_stapling_verify: do we need 'ssl_trusted_certificate' if the intermediate certs are present in ssl_certificate?

Jeffrey 'jf' Lim September 29, 2021 09:44AM

Re: ssl_stapling_verify: do we need 'ssl_trusted_certificate' if the intermediate certs are present in ssl_certificate?

Jeffrey 'jf' Lim October 06, 2021 11:14PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 38
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready