[PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream

Maxim Dounin mdounin at mdounin.ru
Fri Jan 22 17:49:26 UTC 2016


Hello!

On Fri, Jan 22, 2016 at 05:38:06PM +0000, Alessandro Ghedini wrote:

> # HG changeset patch
> # User Alessandro Ghedini <alessandro at cloudflare.com>
> # Date 1453481233 0
> #      Fri Jan 22 16:47:13 2016 +0000
> # Node ID c6668c14a2d168307bcfade0cc2e01c92c31312a
> # Parent  a8c4f65236ad90138863d5295ca059a3d37da37e
> Proxy: add support for OCSP stapling verification from upstream
> 
> This patch adds the "proxy_ssl_stapling_verify" option that controls OCSP
> stapling verification from an upstream server.
> 
> The option allows three values:
> 
>  - "off" (default): disable OCSP stapling completely.
>  - "on": request OCSP stapling from upstream and verify response if
>          provided.
>  - "full": same as "on", but fail also when no response is received.

The "on" seems to be no different from "off" and hardly make 
sense, as an attacker can easily avoid returning stapled OCSP 
response.

The "full" in turn doesn't seem to be correct feature, as stapled 
OCSP response may be legitimately absent for multiple reasons.

[...]

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list