Does anyone plan to develop the feature of openssl' OCSP stapling?

Rob Stradling rob.stradling at
Thu Jun 21 14:04:26 UTC 2012

On 12/03/12 10:12, Rob Stradling wrote:
> "As to OCSP, I'm going to implement it in the next 2.0 version."
> Igor, is this still your plan?
> If so, do you have a (very rough) ETA for nginx v2.0?
> (I don't see v2.0 mentioned here:
> Or are there any other regular nginx developers who could work on OCSP
> Stapling?
> Or is it worth me having a go at writing a patch?

Just to update this thread...

"GlobalSign, DigiCert and Comodo Collaborate with NGINX to Improve 
Online Trust through Enhanced Certificate Revocation Checking, sign a 
Sponsorship Agreement"

> Thanks!
> On 16/06/11 16:02, Igor Sysoev wrote:
>> On Thu, Jun 16, 2011 at 02:30:55PM +0100, Rob Stradling wrote:
>>> On November 25, 2010 04:42AM Weibin Yao wrote:
>>>> Hi everyone,
>>>> I think the the feature of OCSP stapling[1] is very useful for the
>>>> browser blocked by the OCSP request. And the feature has supported
>>>> since
>>>> openssl 0.9.8g. Apache's mod_ssl has also added this patch in the
>>>> development branch[2].
>>>> Does anyone have the plan to develop this feature?
>>> Hi. The CAs and Browsers represented in the CA/Browser Forum
>>> ( are growing increasingly interested in
>>> encouraging wider adoption of OCSP Stapling.
>>> Since nobody else has replied to this thread, I presume that OCSP
>>> Stapling is
>>> not currently a priority for the core nginx developers. So, I've started
>>> having a go at writing a patch. I'm basing it heavily on Dr Steve
>>> Henson's
>>> OCSP Stapling code that was first included in Apache httpd 2.3.3 [3].
>>> I'd like
>>> to ask a few questions before I proceed any further:
>>> 1. If I am able to complete my patch, are you likely to review/commit
>>> it?
>>> Or is OCSP Stapling the sort of feature that you'd prefer to only let
>>> a core
>>> nginx developer work on?
>>> 2. I was under the impression that nginx started life as a fork of
>>> Apache
>>> httpd, but I don't see any messages along the lines of "This product
>>> includes
>>> software developed by the Apache Group..." in the source code. Is
>>> nginx 100%
>>> *not* a derivative work of Apache httpd?
>>> 3. Steve Henson's code is presumably licensed under ASL 2.0 [4], which
>>> presumably means that my patch would be classed as a "Derivative
>>> Work" subject
>>> to various conditions (see the "4. Redistribution" section in ASL
>>> 2.0). Would
>>> this prevent you from accepting it?
>>> (Since ASL 2.0 says "nothing herein shall supersede or modify the
>>> terms of any
>>> separate license agreement you may have executed with Licensor
>>> regarding such
>>> Contributions", perhaps I should ask Steve Henson if he would be
>>> willing to
>>> contribute the same code to nginx under a different licence).
>> nginx is not Apache fork. I know well enough Apache 1.3 and I've got some
>> ideas from Apache such as memory pools, configuration methods, processing
>> phases, etc., but there is no line of Apache code. As to OCSP, I'm going
>> to implement it in the next 2.0 version.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the nginx-devel mailing list