[PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream

Alessandro Ghedini alessandro at cloudflare.com
Mon Jan 25 15:41:25 UTC 2016 

> > > > > The "full" in turn doesn't seem to be correct feature, as stapled 
> > > > > OCSP response may be legitimately absent for multiple reasons.
> > > > 
> > > > If you control the upstream servers than I don't see any reason why you
> > > > couldn't just enable OCSP stapling unconditionally and enforce this on
> > > > the downstream with the "full" option. Maybe I'm missing something?
> > > 
> > > Much like any other arbitrary requirement, this one of course can 
> > > be enforced as well.  The question is how this is different from 
> > > other arbitrary requirements we don't provide options for.
> > 
> > nginx's proxy module already supports checking CRLs, which are an even bigger
> > pain to deal with, and full OCSP has so many problems that it's not really a
> > viable option in practice (see above). As far as certificate revocation goes
> > that's it, there aren't any more "arbitrary requirements" as far as I know. so
> > it seems to me that upstreadm OCSP stapling checking would be a fairly nice and
> > useful improvement over the current status and while my patches aren't exactly
> > simple they are not that compilcated either.
> 
> You are essentially trying to push "must staple" extension into 
> nginx configuration.  And I'm not fan of both the "must staple" 
> and what you are trying to do.
> 
> OCSP stapling was designed as an optimization for OCSP.  That is, 
> if OCSP stapling is used, it saves an OCSP lookup.  But 
> introducing "must staple" changes things a lot: now servers are 
> required to provide OCSP responses even if they can't do so for 
> some reason.  You can't start answering requests till you've 
> loaded an OCSP response to staple it, and you essentially never know 
> if will be able to start server or not.
> 
> I tend to think that "must staple" introduces much more 
> complexity than it solves.  And the same applies to the 
> configuration directive introduced by your patch.

Would it make a difference if I added full (not just stapling) OCSP support to
NGINX's proxy module using stapling only as an optimization as you say, or are
you against this regrdless?

That should address your concerns I think, and the code to support OCSP is
already in place anyway. Of course it would be disabled by default, so the
decision of whether enabling it is worth the trouble would be left to the
users.

Cheers

More information about the nginx-devel mailing list