Welcome! Log In Create A New Profile

Advanced

RE: OCSP, client certificate verification with chained CA

All files from this thread

File Name File Size   Posted by Date  
nginx_pki.tar.gz 36.3 KB open | download Marti, Ueli (Marin) 01/04/2022 Read message
Marti, Ueli (Marin)
January 07, 2022 02:26AM
Hi,
ok that makes sense.
Thank you for the feedback.

-----Original Message-----
From: nginx <nginx-bounces@nginx.org> On Behalf Of Maxim Dounin
Sent: Thursday, January 6, 2022 9:36 PM
To: nginx@nginx.org
Subject: Re: OCSP, client certificate verification with chained CA

CAUTION: This email originated outside the company. Do not click links or open attachments unless you are expecting them from the sender.

Hello!

On Wed, Jan 05, 2022 at 03:33:29PM +0000, Marti, Ueli (Marin) wrote:

> Ok, good point thanks.
> However, it seems nginx accepts only one ssl_ocsp_responder instance.
> Or is there a syntax to specify multiple instances ?
> So this would need to be solved on the responder side which would need
> to be able to handle multiple CAs. Openssl ocsp doesn't seem to
> support that.
>
> Any chance for nginx to support multiple ssl_ocsp_responder instances
> in the future ?

Normally you shouldn't use ssl_ocsp_responder responder at all:
instead, certificate's Authority Information Access (AIA) extension is used to obtain appropriate OCSP responder address.

The ssl_ocsp_responder directive is something to be used to manually override information from AIA extension, either for testing or for complex configurations when you want to redefine OCSP server address for some reason. If you do this, you can distinguish OCSP requests to different certificates based on the information in the requests, such as issuer name and issuer key hashes. If the OCSP responder you use is not capable of doing this, consider removing the ssl_ocsp_responder directive, so nginx will use the AIA extension instead.

(Note well that using OpenSSL's builtin OCSP responder for anything but tests might not be a good idea.)

--
Maxim Dounin
https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmdounin.ru%2F&amp;data=04%7C01%7Cueli.marti%40ch.glory-global.com%7Cc91775dcee084c36b08d08d9d1543ac5%7C28825646ef414c9bb69e305d76fc24e5%7C0%7C0%7C637770982414205536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=ho6wwhioU3yMWqNdOTqM7cDuShgG6wS9GiFRC6RmW3g%3D&amp;reserved=0
_______________________________________________
nginx mailing list
nginx@nginx.org
https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.nginx.org%2Fmailman%2Flistinfo%2Fnginx&amp;data=04%7C01%7Cueli.marti%40ch.glory-global.com%7Cc91775dcee084c36b08d08d9d1543ac5%7C28825646ef414c9bb69e305d76fc24e5%7C0%7C0%7C637770982414205536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=lyBobLI13LJ75NXAqv74l8UoNNhB2RxujohzH8oTFRA%3D&amp;reserved=0
This e-mail and any files attached are strictly confidential, may be legally privileged and are intended solely for the addressee. If you are not the intended recipient please notify the sender immediately by return email and then delete the e-mail and any attachments immediately. The views and or opinions expressed in this e-mail are not necessarily the views of Glory Ltd, Glory Global Solutions Limited or any of their subsidiaries or affiliates and the GLORY Group of companies, their directors, officers and employees make no representation about and accept no liability for its accuracy or completeness. You should ensure that you have adequate virus protection as the GLORY Group of companies do not accept liability for any viruses. Glory Global Solutions Limited Registered No. 07945417 and Glory Global Solutions (International) Limited Registered No 6569621 are both registered in England and Wales with their registered office at: Infinity View, 1 Hazelwood, Lime Tree Way, Chineham,
Basingstoke, Hampshire RG24 8WZ, United Kingdom
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

OCSP, client certificate verification with chained CA Attachments

Marti, Ueli (Marin) January 04, 2022 06:12AM

Re: OCSP, client certificate verification with chained CA

Vahan Yerkanian January 04, 2022 08:22AM

RE: OCSP, client certificate verification with chained CA

Marti, Ueli (Marin) January 04, 2022 09:46AM

Re: OCSP, client certificate verification with chained CA

Maxim Dounin January 05, 2022 09:24AM

RE: OCSP, client certificate verification with chained CA

Marti, Ueli (Marin) January 05, 2022 10:36AM

Re: OCSP, client certificate verification with chained CA

Maxim Dounin January 06, 2022 03:38PM

RE: OCSP, client certificate verification with chained CA

Marti, Ueli (Marin) January 07, 2022 02:26AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 83
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready