Does anyone plan to develop the feature of openssl' OCSP stapling?

Arnaud GRANAL serphen at gmail.com
Thu Jun 16 20:15:38 MSD 2011


On Thu, Jun 16, 2011 at 6:41 PM, Rob Stradling <rob.stradling at comodo.com> wrote:
> On Thursday 16 Jun 2011 16:02:12 Igor Sysoev wrote:
>> On Thu, Jun 16, 2011 at 02:30:55PM +0100, Rob Stradling wrote:
> <snip>
>> nginx is not Apache fork. I know well enough Apache 1.3 and I've got some
>> ideas from Apache such as memory pools, configuration methods, processing
>> phases, etc., but there is no line of Apache code.
>
> Hi Igor.  Thanks for clarifying.
>
>> As to OCSP, I'm going to implement it in the next 2.0 version.
>
> I'm glad to hear that OCSP Stapling is on your radar.
>
> I note that it took 9 years for nginx to reach v1.0.0.  Dare I ask if you have
> an approximate ETA for v2.0.0?
>
> If v2.0.0 is likely to be >1 year away, is there anything I can do to help get
> support for OCSP Stapling added to the v1.0.x branch much sooner?
>

As an user, I would prefer it disabled and available as an optional
module and not part as core.
As of Apache 2.3 OSCP Stapling is disabled by default too.

I don't really get why use an high-performance web server to handle
queries only saving money to certification authorities.
So we pay like $100/200 for the SSL certificate, and then we pay again
server and bandwidth fees to answer OSCP ?

Clients have time to wait OSCP answer from CA and in the other side,
nginx server is already very busy so it is probably not a good idea to
load it with bonus features.

A.



More information about the nginx-devel mailing list