OCSP stapling for client certificates
Maxim Dounin
mdounin at mdounin.ru
Sun Jul 5 23:43:26 UTC 2015
Hello!
On Sun, Jun 28, 2015 at 12:20:06PM -0400, prozit wrote:
> Actually, I had the same questions.
> Is this something that's available by now, or is it in the pipeline of any
> new release of Nginx or will it never be?
>
> I'm just asking since I believe this might be a good feature to add since
> CRL's could get very big when lots of certificate have been revoked, and
> since it is not a realtime updating mechanism.
>
> By using a OCSP, there is a little overhead of contacting the OCSP for
> checking each client certificate that is being validated...
> I believe this to be much more efficient than regularly
> downloading/uploading a CRL and reloading Nginx. This process can fail on
> multiple locations which makes it harder to track and a big disadvantage of
> the CRL's is that they are not realtime updated, which is the case for
> OCSP's.
> This way revoking a certificate will cause it to immediately retract the
> access to client certificate secured applications (for all new sessions).
>
> Is it already supported in some version of Nginx or is it planned somewhere
> in the future?
As of now, there are no plans to support OCSP-based validation of
client certificates.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list