[PATCH] OCSP stapling: better handling of successful OCSP responses.

Maxim Dounin mdounin at mdounin.ru
Fri May 17 13:20:26 UTC 2013


Hello!

On Thu, May 16, 2013 at 04:10:33PM -0700, Piotr Sikora wrote:

> Erm, "hg export" patch attached, sorry about that.
> 
> Best regards,
> Piotr Sikora
> 
> 
> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1368743844 25200
> # Node ID 4fb8fac2b2f58f8946c120a3da9743c4af8dd6ba
> # Parent  cfab1e7e4ac2f0d17199ee1d49ac4647b63746d3
> OCSP stapling: better handling of successful OCSP responses.
> 
> All successful OCSP responseses, regardless of the certificate status,
> should be cached and used for OCSP stapling.

Presenting a certificate and a non-good certificate status to a 
user looks like "bees against honey" for me.  I would rather not.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list