[PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream

Alessandro Ghedini alessandro at cloudflare.com
Tue Feb 2 17:45:43 UTC 2016


Hello,

On Mon, Jan 25, 2016 at 03:41:25pm +0000, Alessandro Ghedini wrote:
> > > > > > The "full" in turn doesn't seem to be correct feature, as stapled 
> > > > > > OCSP response may be legitimately absent for multiple reasons.
> > > > > 
> > > > > If you control the upstream servers than I don't see any reason why you
> > > > > couldn't just enable OCSP stapling unconditionally and enforce this on
> > > > > the downstream with the "full" option. Maybe I'm missing something?
> > > > 
> > > > Much like any other arbitrary requirement, this one of course can 
> > > > be enforced as well.  The question is how this is different from 
> > > > other arbitrary requirements we don't provide options for.
> > > 
> > > nginx's proxy module already supports checking CRLs, which are an even bigger
> > > pain to deal with, and full OCSP has so many problems that it's not really a
> > > viable option in practice (see above). As far as certificate revocation goes
> > > that's it, there aren't any more "arbitrary requirements" as far as I know. so
> > > it seems to me that upstreadm OCSP stapling checking would be a fairly nice and
> > > useful improvement over the current status and while my patches aren't exactly
> > > simple they are not that compilcated either.
> > 
> > You are essentially trying to push "must staple" extension into 
> > nginx configuration.  And I'm not fan of both the "must staple" 
> > and what you are trying to do.
> > 
> > OCSP stapling was designed as an optimization for OCSP.  That is, 
> > if OCSP stapling is used, it saves an OCSP lookup.  But 
> > introducing "must staple" changes things a lot: now servers are 
> > required to provide OCSP responses even if they can't do so for 
> > some reason.  You can't start answering requests till you've 
> > loaded an OCSP response to staple it, and you essentially never know 
> > if will be able to start server or not.
> > 
> > I tend to think that "must staple" introduces much more 
> > complexity than it solves.  And the same applies to the 
> > configuration directive introduced by your patch.
> 
> Would it make a difference if I added full (not just stapling) OCSP support to
> NGINX's proxy module using stapling only as an optimization as you say, or are
> you against this regrdless?
> 
> That should address your concerns I think, and the code to support OCSP is
> already in place anyway. Of course it would be disabled by default, so the
> decision of whether enabling it is worth the trouble would be left to the
> users.

Ping?

Cheers



More information about the nginx-devel mailing list