OCSP stapling priming and logging

[Maxim Dounin]

Hello!

On Mon, Jan 08, 2018 at 11:38:56PM +1300, Thomas Valentine wrote:

>    I've spent a bit of time setting up my server with SSL, and checking
>    for OCSP stapling to be working - couldn't work out why it wasn't
>    sending the OCSP reply but it's as I was querying the server as the
>    first hit before it had primed the response. This isn't mentioned in
>    the online docs as to how it actually works. There is also nothing in
>    the logs saying what is going on - unless using debug mode.
> 
>    Perhaps within ngx_http_ssl_module.c something could be added to log
>    when an OCSP query takes place (without requiring a debug log).

OCSP requests are expected to happen on regular basis when OCSP 
Stapling is enabled, and logging them all to the error log might 
not be a good idea.  Rather, it logs if there are any errors.

>    I assume at some point in the past the option to prime the server has
>    been considered and not implemented? I know a server script could be
>    written to do this - perhaps within an nginx startup - and get nginx to
>    use the ssl_stapling_file but this seems messy.

OCSP Stapling is an optimization, and nothing breaks if it doesn't 
work.  You don't need to prime anything (unless you are using the 
"Must Staple" certificate extension, which is completely different 
story and wasn't even existed when OCSP Stapling was implemented 
in nginx).

You may also find these tickets interesting:

https://trac.nginx.org/nginx/ticket/1413
https://trac.nginx.org/nginx/ticket/990
https://trac.nginx.org/nginx/ticket/812

-- 
Maxim Dounin
http://mdounin.ru/