[PATCH 0 of 4] OCSP stapling

Maxim Dounin mdounin at mdounin.ru
Wed Sep 5 11:14:40 UTC 2012


Hello!

Here are patches for OCSP stapling support.  Testing and 
review appreciated.

New directives:

ssl_trusted_certificate /path/to/file;

  Specifies a file with CA certificates in the PEM format used for
  certificate verification.  In contrast to ssl_client_certificate, DNs
  of these certificates aren't sent to a client in CertificateRequest.

ssl_stapling on|off;

  Activates OCSP stapling.

ssl_stapling_file /path/to/file;

  Use predefined OCSP response for stapling, do not query responder.
  Assumes OCSP response in DER format as produced by "openssl ocsp".

ssl_stapling_responder URL;

  Use specified OCSP responder instead of one found in AIA certificate
  extension.

Example configuration:

  server {
      listen 443 ssl;

      ssl_certificate /path/to/cert.pem;
      ssl_certificate_key /path/to/key.pem;

      ssl_stapling on;
      ssl_trusted_certificate /path/to/ca.pem;

      resolver 8.8.8.8;
  }

Known limitations:

- Unless externally set OCSP response is used (via the "ssl_stapling_file"
  directive), stapled response won't be sent in a first connection.  This
  is due to the fact that OCSP responders are currently queried by nginx
  once it receives connection with certificate_status extension in ClientHello,
  and due to limitations in OpenSSL API (certificate status callback is
  blocking).

- Cached OCSP responses are currently stored in local process memory (thus
  each worker process will query OCSP responders independently).  This
  shouldn't be a problem as typical number of worker processes is low, usually
  set match number of CPUs.

- Various timeouts are hardcoded (connect/read/write timeouts are 60s,
  response is considered to be valid for 1h after loading).  Adding
  configuration directives to control these would be trivial, but it may
  be a better idea to actually omit them for simplicity.

- Only "http://" OCSP responders are recognized.

Patch can be found here:

http://nginx.org/patches/ocsp-stapling/

Thanks to Comodo, DigiCert and GlobalSign for sponsoring this work.

Maxim Dounin



More information about the nginx-devel mailing list