[PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream
alessandro at cloudflare.com
Fri Jan 22 18:02:14 UTC 2016
On Fri, Jan 22, 2016 at 08:49:26pm +0300, Maxim Dounin wrote:
> On Fri, Jan 22, 2016 at 05:38:06PM +0000, Alessandro Ghedini wrote:
> > # HG changeset patch
> > # User Alessandro Ghedini <alessandro at cloudflare.com>
> > # Date 1453481233 0
> > # Fri Jan 22 16:47:13 2016 +0000
> > # Node ID c6668c14a2d168307bcfade0cc2e01c92c31312a
> > # Parent a8c4f65236ad90138863d5295ca059a3d37da37e
> > Proxy: add support for OCSP stapling verification from upstream
> > This patch adds the "proxy_ssl_stapling_verify" option that controls OCSP
> > stapling verification from an upstream server.
> > The option allows three values:
> > - "off" (default): disable OCSP stapling completely.
> > - "on": request OCSP stapling from upstream and verify response if
> > provided.
> > - "full": same as "on", but fail also when no response is received.
> The "on" seems to be no different from "off" and hardly make
> sense, as an attacker can easily avoid returning stapled OCSP
Yes, of course. This is what browsers currently do, and is IMO better than
doing nothing. Once Must-Staple (aka "TLS Feature" x509 extension) starts
to be used in the wild this can be updated.
> The "full" in turn doesn't seem to be correct feature, as stapled
> OCSP response may be legitimately absent for multiple reasons.
If you control the upstream servers than I don't see any reason why you
couldn't just enable OCSP stapling unconditionally and enforce this on
the downstream with the "full" option. Maybe I'm missing something?
More information about the nginx-devel