[PATCH 0 of 2] Support for OCSP stapling verification from upstream

Alessandro Ghedini alessandro at cloudflare.com
Fri Jan 22 17:37:47 UTC 2016


Hello,

this patchset adds support for requesting and verifying OCSP stapled
responses from an HTTP upstream.

In order to avoid code duplication, the first patch refactors the existing
OCSP verification code so that it can be reused for this new functionality.

The diff is a bit messy, so please advise if there's a better way to
accomplish the same and make reviewing the patch easier.

The second patch actually adds the OCSP stapling verification via a new
option "proxy_ssl_stapling_verify".

Note that older OpenSSL versions (pre-1.0.2) had a bug [0] that caused
OCSP verification to fail for valid responses. I developed a work-around
so I could properly test my code, but it's a bit ugly so it's probably
best to not merge it. I can share it if anyone is interested though.

Cheers

[0] https://rt.openssl.org/Ticket/Display.html?id=3668&user=guest&pass=guest



More information about the nginx-devel mailing list