Does anyone plan to develop the feature of openssl' OCSP stapling?

Rob Stradling rob.stradling at comodo.com
Mon Mar 12 10:12:02 UTC 2012 

"As to OCSP, I'm going to implement it in the next 2.0 version."

Igor, is this still your plan?
If so, do you have a (very rough) ETA for nginx v2.0?
(I don't see v2.0 mentioned here: http://trac.nginx.org/nginx/roadmap)

Or are there any other regular nginx developers who could work on OCSP 
Stapling?

Or is it worth me having a go at writing a patch?

Thanks!

On 16/06/11 16:02, Igor Sysoev wrote:
> On Thu, Jun 16, 2011 at 02:30:55PM +0100, Rob Stradling wrote:
>> On November 25, 2010 04:42AM Weibin Yao wrote:
>>> Hi everyone,
>>>
>>> I think the the feature of OCSP stapling[1] is very useful for the
>>> browser blocked by the OCSP request. And the feature has supported since
>>> openssl 0.9.8g. Apache's mod_ssl has also added this patch in the
>>> development branch[2].
>>>
>>> Does anyone have the plan to develop this feature?
>>
>> Hi.  The CAs and Browsers represented in the CA/Browser Forum
>> (http://cabforum.org/forum.html) are growing increasingly interested in
>> encouraging wider adoption of OCSP Stapling.
>>
>> Since nobody else has replied to this thread, I presume that OCSP Stapling is
>> not currently a priority for the core nginx developers.  So, I've started
>> having a go at writing a patch.  I'm basing it heavily on Dr Steve Henson's
>> OCSP Stapling code that was first included in Apache httpd 2.3.3 [3].  I'd like
>> to ask a few questions before I proceed any further:
>>
>>    1. If I am able to complete my patch, are you likely to review/commit it?
>> Or is OCSP Stapling the sort of feature that you'd prefer to only let a core
>> nginx developer work on?
>>
>>    2. I was under the impression that nginx started life as a fork of Apache
>> httpd, but I don't see any messages along the lines of "This product includes
>> software developed by the Apache Group..." in the source code.  Is nginx 100%
>> *not* a derivative work of Apache httpd?
>>
>>    3. Steve Henson's code is presumably licensed under ASL 2.0 [4], which
>> presumably means that my patch would be classed as a "Derivative Work" subject
>> to various conditions (see the "4. Redistribution" section in ASL 2.0).  Would
>> this prevent you from accepting it?
>>
>> (Since ASL 2.0 says "nothing herein shall supersede or modify the terms of any
>> separate license agreement you may have executed with Licensor regarding such
>> Contributions", perhaps I should ask Steve Henson if he would be willing to
>> contribute the same code to nginx under a different licence).
>
> nginx is not Apache fork. I know well enough Apache 1.3 and I've got some
> ideas from Apache such as memory pools, configuration methods, processing
> phases, etc., but there is no line of Apache code. As to OCSP, I'm going
> to implement it in the next 2.0 version.
>
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the nginx-devel mailing list