[PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream
Alessandro Ghedini
alessandro at cloudflare.com
Tue Feb 2 17:45:43 UTC 2016
Hello,
On Mon, Jan 25, 2016 at 03:41:25pm +0000, Alessandro Ghedini wrote:
> > > > > > The "full" in turn doesn't seem to be correct feature, as stapled
> > > > > > OCSP response may be legitimately absent for multiple reasons.
> > > > >
> > > > > If you control the upstream servers than I don't see any reason why you
> > > > > couldn't just enable OCSP stapling unconditionally and enforce this on
> > > > > the downstream with the "full" option. Maybe I'm missing something?
> > > >
> > > > Much like any other arbitrary requirement, this one of course can
> > > > be enforced as well. The question is how this is different from
> > > > other arbitrary requirements we don't provide options for.
> > >
> > > nginx's proxy module already supports checking CRLs, which are an even bigger
> > > pain to deal with, and full OCSP has so many problems that it's not really a
> > > viable option in practice (see above). As far as certificate revocation goes
> > > that's it, there aren't any more "arbitrary requirements" as far as I know. so
> > > it seems to me that upstreadm OCSP stapling checking would be a fairly nice and
> > > useful improvement over the current status and while my patches aren't exactly
> > > simple they are not that compilcated either.
> >
> > You are essentially trying to push "must staple" extension into
> > nginx configuration. And I'm not fan of both the "must staple"
> > and what you are trying to do.
> >
> > OCSP stapling was designed as an optimization for OCSP. That is,
> > if OCSP stapling is used, it saves an OCSP lookup. But
> > introducing "must staple" changes things a lot: now servers are
> > required to provide OCSP responses even if they can't do so for
> > some reason. You can't start answering requests till you've
> > loaded an OCSP response to staple it, and you essentially never know
> > if will be able to start server or not.
> >
> > I tend to think that "must staple" introduces much more
> > complexity than it solves. And the same applies to the
> > configuration directive introduced by your patch.
>
> Would it make a difference if I added full (not just stapling) OCSP support to
> NGINX's proxy module using stapling only as an optimization as you say, or are
> you against this regrdless?
>
> That should address your concerns I think, and the code to support OCSP is
> already in place anyway. Of course it would be disabled by default, so the
> decision of whether enabling it is worth the trouble would be left to the
> users.
Ping?
Cheers
More information about the nginx-devel
mailing list