OCSP stapling and resolver

Maxim Dounin mdounin at mdounin.ru
Tue Sep 26 13:20:40 UTC 2017


Hello!

On Tue, Sep 26, 2017 at 03:48:57AM +0200, Grzegorz Kulewski wrote:

> Is resolver in nginx still needed for OCSP stapling?

Yes.

> I am getting a warning from nginx if resolver is not supplied 
> but at the same time both Qualys and openssl s_client output 
> suggest OCSP stapling is working. Strange.

The warning means that nginx will use IP addresses of the OCSP 
responder obtained during configuration parsing, and it won't be 
able to switch to different IP addresses.  That is, everything 
will work unless OCSP responder will be moved to different IP 
addresses.

-- 
Maxim Dounin
http://nginx.org/


More information about the nginx mailing list