Hello!

On Fri, Jan 22, 2016 at 05:38:06PM +0000, Alessandro Ghedini wrote:

> # HG changeset patch
> # User Alessandro Ghedini <alessandro@cloudflare.com>
> # Date 1453481233 0
> # Fri Jan 22 16:47:13 2016 +0000
> # Node ID c6668c14a2d168307bcfade0cc2e01c92c31312a
> # Parent a8c4f65236ad90138863d5295ca059a3d37da37e
> Proxy: add support for OCSP stapling verification from upstream
>
> This patch adds the "proxy_ssl_stapling_verify" option that controls OCSP
> stapling verification from an upstream server.
>
> The option allows three values:
>
> - "off" (default): disable OCSP stapling completely.
> - "on": request OCSP stapling from upstream and verify response if
> provided.
> - "full": same as "on", but fail also when no response is received.

The "on" seems to be no different from "off" and hardly make
sense, as an attacker can easily avoid returning stapled OCSP
response.

The "full" in turn doesn't seem to be correct feature, as stapled
OCSP response may be legitimately absent for multiple reasons.

[...]

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel