Welcome! Log In Create A New Profile

[PATCH 0 of 4] OCSP stapling

Forum List Message List New Topic Print View

Maxim Dounin

September 05, 2012 07:18AM

Hello!

Here are patches for OCSP stapling support. Testing and
review appreciated.

New directives:

ssl_trusted_certificate /path/to/file;

Specifies a file with CA certificates in the PEM format used for
certificate verification. In contrast to ssl_client_certificate, DNs
of these certificates aren't sent to a client in CertificateRequest.

ssl_stapling on|off;

Activates OCSP stapling.

ssl_stapling_file /path/to/file;

Use predefined OCSP response for stapling, do not query responder.
Assumes OCSP response in DER format as produced by "openssl ocsp".

ssl_stapling_responder URL;

Use specified OCSP responder instead of one found in AIA certificate
extension.

Example configuration:

server {
listen 443 ssl;

ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;

ssl_stapling on;
ssl_trusted_certificate /path/to/ca.pem;

resolver 8.8.8.8;
}

Known limitations:

- Unless externally set OCSP response is used (via the "ssl_stapling_file"
directive), stapled response won't be sent in a first connection. This
is due to the fact that OCSP responders are currently queried by nginx
once it receives connection with certificate_status extension in ClientHello,
and due to limitations in OpenSSL API (certificate status callback is
blocking).

- Cached OCSP responses are currently stored in local process memory (thus
each worker process will query OCSP responders independently). This
shouldn't be a problem as typical number of worker processes is low, usually
set match number of CPUs.

- Various timeouts are hardcoded (connect/read/write timeouts are 60s,
response is considered to be valid for 1h after loading). Adding
configuration directives to control these would be trivial, but it may
be a better idea to actually omit them for simplicity.

- Only "http://" OCSP responders are recognized.

Patch can be found here:

http://nginx.org/patches/ocsp-stapling/

Thanks to Comodo, DigiCert and GlobalSign for sponsoring this work.

Maxim Dounin

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 0 of 4] OCSP stapling	Maxim Dounin	1596	September 05, 2012 07:18AM
[PATCH 1 of 4] OCSP stapling: ssl_trusted_certificate directive	Maxim Dounin	778	September 05, 2012 07:18AM
[PATCH 2 of 4] OCSP stapling: ssl_stapling_file support	Maxim Dounin	774	September 05, 2012 07:20AM
[PATCH 3 of 4] OCSP stapling: loading OCSP responses	Maxim Dounin	712	September 05, 2012 07:20AM
[PATCH 4 of 4] OCSP stapling: check Content-Type	Maxim Dounin	838	September 05, 2012 07:20AM
OCSP stapling limitations (was Re: [PATCH 0 of 4] OCSP stapling)	Rob Stradling	1096	October 04, 2013 08:26AM
Re: OCSP stapling limitations (was Re: [PATCH 0 of 4] OCSP stapling)	Maxim Dounin	642	October 06, 2013 06:16AM
Re: OCSP stapling limitations (was Re: [PATCH 0 of 4] OCSP stapling)	Rob Stradling	378	October 07, 2013 06:30AM
Re: OCSP stapling limitations (was Re: [PATCH 0 of 4] OCSP stapling)	Maxim Dounin	411	October 07, 2013 08:38AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 66

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018