[PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream

Alessandro Ghedini alessandro at cloudflare.com
Fri Jan 22 18:02:14 UTC 2016


On Fri, Jan 22, 2016 at 08:49:26pm +0300, Maxim Dounin wrote:
> Hello!
> 
> On Fri, Jan 22, 2016 at 05:38:06PM +0000, Alessandro Ghedini wrote:
> 
> > # HG changeset patch
> > # User Alessandro Ghedini <alessandro at cloudflare.com>
> > # Date 1453481233 0
> > #      Fri Jan 22 16:47:13 2016 +0000
> > # Node ID c6668c14a2d168307bcfade0cc2e01c92c31312a
> > # Parent  a8c4f65236ad90138863d5295ca059a3d37da37e
> > Proxy: add support for OCSP stapling verification from upstream
> > 
> > This patch adds the "proxy_ssl_stapling_verify" option that controls OCSP
> > stapling verification from an upstream server.
> > 
> > The option allows three values:
> > 
> >  - "off" (default): disable OCSP stapling completely.
> >  - "on": request OCSP stapling from upstream and verify response if
> >          provided.
> >  - "full": same as "on", but fail also when no response is received.
> 
> The "on" seems to be no different from "off" and hardly make 
> sense, as an attacker can easily avoid returning stapled OCSP 
> response.

Yes, of course. This is what browsers currently do, and is IMO better than
doing nothing. Once Must-Staple (aka "TLS Feature" x509 extension) starts
to be used in the wild this can be updated.

> The "full" in turn doesn't seem to be correct feature, as stapled 
> OCSP response may be legitimately absent for multiple reasons.

If you control the upstream servers than I don't see any reason why you
couldn't just enable OCSP stapling unconditionally and enforce this on
the downstream with the "full" option. Maybe I'm missing something?

Cheers



More information about the nginx-devel mailing list