Does anyone plan to develop the feature of openssl' OCSP stapling?

Rob Stradling rob.stradling at comodo.com
Thu Jun 16 17:30:55 MSD 2011


On November 25, 2010 04:42AM Weibin Yao wrote:
> Hi everyone,
>
> I think the the feature of OCSP stapling[1] is very useful for the
> browser blocked by the OCSP request. And the feature has supported since
> openssl 0.9.8g. Apache's mod_ssl has also added this patch in the
> development branch[2].
>
> Does anyone have the plan to develop this feature?

Hi.  The CAs and Browsers represented in the CA/Browser Forum 
(http://cabforum.org/forum.html) are growing increasingly interested in 
encouraging wider adoption of OCSP Stapling.

Since nobody else has replied to this thread, I presume that OCSP Stapling is 
not currently a priority for the core nginx developers.  So, I've started 
having a go at writing a patch.  I'm basing it heavily on Dr Steve Henson's 
OCSP Stapling code that was first included in Apache httpd 2.3.3 [3].  I'd like 
to ask a few questions before I proceed any further:

  1. If I am able to complete my patch, are you likely to review/commit it?  
Or is OCSP Stapling the sort of feature that you'd prefer to only let a core 
nginx developer work on?

  2. I was under the impression that nginx started life as a fork of Apache 
httpd, but I don't see any messages along the lines of "This product includes 
software developed by the Apache Group..." in the source code.  Is nginx 100% 
*not* a derivative work of Apache httpd?

  3. Steve Henson's code is presumably licensed under ASL 2.0 [4], which 
presumably means that my patch would be classed as a "Derivative Work" subject 
to various conditions (see the "4. Redistribution" section in ASL 2.0).  Would 
this prevent you from accepting it?

(Since ASL 2.0 says "nothing herein shall supersede or modify the terms of any 
separate license agreement you may have executed with Licensor regarding such 
Contributions", perhaps I should ask Steve Henson if he would be willing to 
contribute the same code to nginx under a different licence).

Thanks for your help.

[3]. http://svn.apache.org/viewvc?view=revision&revision=829619
[4]. http://www.apache.org/licenses/LICENSE-2.0

> Thanks.
>
> [1]. http://en.wikipedia.org/wiki/OCSP_Stapling
> [2]. https://issues.apache.org/bugzilla/show_bug.cgi?id=43822
> 
> --
> Weibin Yao

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the nginx-devel mailing list