"ssl_stapling" without configured "resolver" caches responder IP indefinitely
hablutzel1
nginx-forum at forum.nginx.org
Fri Jan 28 18:17:34 UTC 2022
Hi, while testing the latest NGINX source code around ~1.21.7, I’ve observed
that enabling "ssl_stapling" without configuring a “resolver”, makes NGINX
cache the OCSP responder IP indefinitely, so, if the CA later changes the
OCSP responder IP, NGINX is still going to try to get OCSP queries from the
old IP (possibly inoperative now), irrespective of the DNS record TTL.
Now, I'm aware of
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
saying:
> For a resolution of the OCSP responder hostname, the resolver directive
should also be specified.
And effectively, using the “resolver” directive, OCSP DNS records are
refreshed, but it is not obvious at all what is going to happen if a
"resolver" is not configured. Is there any documentation on this?
Additionally, what is the reason to not use the default system DNS resolvers
in the standard way (i.e. respecting DNS TTLs) instead of performing the
resolution only once when no "resolver" is configured?
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293525,293525#msg-293525
More information about the nginx
mailing list