On Fri, Jan 22, 2016 at 08:49:26pm +0300, Maxim Dounin wrote:
> Hello!
>
> On Fri, Jan 22, 2016 at 05:38:06PM +0000, Alessandro Ghedini wrote:
>
> > # HG changeset patch
> > # User Alessandro Ghedini <alessandro@cloudflare.com>
> > # Date 1453481233 0
> > # Fri Jan 22 16:47:13 2016 +0000
> > # Node ID c6668c14a2d168307bcfade0cc2e01c92c31312a
> > # Parent a8c4f65236ad90138863d5295ca059a3d37da37e
> > Proxy: add support for OCSP stapling verification from upstream
> >
> > This patch adds the "proxy_ssl_stapling_verify" option that controls OCSP
> > stapling verification from an upstream server.
> >
> > The option allows three values:
> >
> > - "off" (default): disable OCSP stapling completely.
> > - "on": request OCSP stapling from upstream and verify response if
> > provided.
> > - "full": same as "on", but fail also when no response is received.
>
> The "on" seems to be no different from "off" and hardly make
> sense, as an attacker can easily avoid returning stapled OCSP
> response.

Yes, of course. This is what browsers currently do, and is IMO better than
doing nothing. Once Must-Staple (aka "TLS Feature" x509 extension) starts
to be used in the wild this can be updated.

> The "full" in turn doesn't seem to be correct feature, as stapled
> OCSP response may be legitimately absent for multiple reasons.

If you control the upstream servers than I don't see any reason why you
couldn't just enable OCSP stapling unconditionally and enforce this on
the downstream with the "full" option. Maybe I'm missing something?

Cheers

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel