Welcome! Log In Create A New Profile

Re: [PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream

Forum List Message List New Topic Print View

Alessandro Ghedini

January 25, 2016 10:42AM

> > > > > The "full" in turn doesn't seem to be correct feature, as stapled
> > > > > OCSP response may be legitimately absent for multiple reasons.
> > > >
> > > > If you control the upstream servers than I don't see any reason why you
> > > > couldn't just enable OCSP stapling unconditionally and enforce this on
> > > > the downstream with the "full" option. Maybe I'm missing something?
> > >
> > > Much like any other arbitrary requirement, this one of course can
> > > be enforced as well. The question is how this is different from
> > > other arbitrary requirements we don't provide options for.
> >
> > nginx's proxy module already supports checking CRLs, which are an even bigger
> > pain to deal with, and full OCSP has so many problems that it's not really a
> > viable option in practice (see above). As far as certificate revocation goes
> > that's it, there aren't any more "arbitrary requirements" as far as I know. so
> > it seems to me that upstreadm OCSP stapling checking would be a fairly nice and
> > useful improvement over the current status and while my patches aren't exactly
> > simple they are not that compilcated either.
>
> You are essentially trying to push "must staple" extension into
> nginx configuration. And I'm not fan of both the "must staple"
> and what you are trying to do.
>
> OCSP stapling was designed as an optimization for OCSP. That is,
> if OCSP stapling is used, it saves an OCSP lookup. But
> introducing "must staple" changes things a lot: now servers are
> required to provide OCSP responses even if they can't do so for
> some reason. You can't start answering requests till you've
> loaded an OCSP response to staple it, and you essentially never know
> if will be able to start server or not.
>
> I tend to think that "must staple" introduces much more
> complexity than it solves. And the same applies to the
> configuration directive introduced by your patch.

Would it make a difference if I added full (not just stapling) OCSP support to
NGINX's proxy module using stapling only as an optimization as you say, or are
you against this regrdless?

That should address your concerns I think, and the code to support OCSP is
already in place anyway. Of course it would be disabled by default, so the
decision of whether enabling it is worth the trouble would be left to the
users.

Cheers

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream	Alessandro Ghedini	565	January 22, 2016 12:40PM
Re: [PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream	Maxim Dounin	234	January 22, 2016 12:50PM
Re: [PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream	Alessandro Ghedini	212	January 22, 2016 01:04PM
Re: [PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream	Maxim Dounin	271	January 22, 2016 01:48PM
Re: [PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream	Alessandro Ghedini	249	January 22, 2016 04:48PM
Re: [PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream	Maxim Dounin	249	January 25, 2016 10:00AM
Re: [PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream	Alessandro Ghedini	311	January 25, 2016 10:42AM
Re: [PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream	Alessandro Ghedini	307	February 02, 2016 12:46PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 117

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018