OCSP stapling for client certificates

Maxim Dounin mdounin at mdounin.ru
Sun Jul 5 23:43:26 UTC 2015


On Sun, Jun 28, 2015 at 12:20:06PM -0400, prozit wrote:

> Actually, I had the same questions.
> Is this something that's available by now, or is it in the pipeline of any
> new release of Nginx or will it never be?
> I'm just asking since I believe this might be a good feature to add since
> CRL's could get very big when lots of certificate have been revoked, and
> since it is not a realtime updating mechanism.
> By using a OCSP, there is a little overhead of contacting the OCSP for
> checking each client certificate that is being validated...
> I believe this to be much more efficient than regularly
> downloading/uploading a CRL and reloading Nginx. This process can fail on
> multiple locations which makes it harder to track and a big disadvantage of
> the CRL's is that they are not realtime updated, which is the case for
> OCSP's.
> This way revoking a certificate will cause it to immediately retract the
> access to client certificate secured applications (for all new sessions).
> Is it already supported in some version of Nginx or is it planned somewhere
> in the future?

As of now, there are no plans to support OCSP-based validation of 
client certificates.

Maxim Dounin

More information about the nginx mailing list