[PATCH] SSL: ssl_stapling_valid directive

Maxim Dounin mdounin at mdounin.ru
Mon Jan 13 16:12:56 UTC 2014 

Hello!

On Mon, Jan 13, 2014 at 07:45:29PM +0400, kyprizel wrote:

> The reason is quite easy - most responders _do_ set validity time equal to
> 7 days and there is no reason to update the response every hour and I want
> to update it more rarely.
> Some do not set nextUpdate at all and 3600 can be too rarely for them.

These reasons suggest that deriving validity times from response 
validity times, as suggested earlier, would be a better way to go.

> 
> 
> 
> On Mon, Jan 13, 2014 at 7:42 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> > Hello!
> >
> > On Mon, Jan 13, 2014 at 07:04:11PM +0400, kyprizel wrote:
> >
> > > So, you going to leave 3600 hardcoded there?
> >
> > Yes, unless you have some better reasons to make it
> > configurable.
> >
> > >
> > >
> > > On Mon, Jan 13, 2014 at 6:51 PM, Maxim Dounin <mdounin at mdounin.ru>
> > wrote:
> > >
> > > > Hello!
> > > >
> > > > On Mon, Jan 13, 2014 at 06:08:53PM +0400, kyprizel wrote:
> > > >
> > > > > "some cases", for example = you have a lot of users with wrong system
> > > > time,
> > > > > so they can't access the server if OCSP responses updated too
> > frequently.
> > > >
> > > > This looks like a very-very wrong way to address the problem.
> > > > Instead of resolving the problem it will hide it on some requests
> > > > (but not on others), making the problem harder to detect and debug.
> > > >
> > > > --
> > > > Maxim Dounin
> > > > http://nginx.org/
> > > >
> > > > _______________________________________________
> > > > nginx-devel mailing list
> > > > nginx-devel at nginx.org
> > > > http://mailman.nginx.org/mailman/listinfo/nginx-devel
> > > >
> >
> > > _______________________________________________
> > > nginx-devel mailing list
> > > nginx-devel at nginx.org
> > > http://mailman.nginx.org/mailman/listinfo/nginx-devel
> >
> >
> > --
> > Maxim Dounin
> > http://nginx.org/
> >
> > _______________________________________________
> > nginx-devel mailing list
> > nginx-devel at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx-devel
> >

> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel


-- 
Maxim Dounin
http://nginx.org/

More information about the nginx-devel mailing list