OCSP stapling for client certificates
prozit
nginx-forum at nginx.us
Sun Jun 28 16:20:06 UTC 2015
Hi,
Actually, I had the same questions.
Is this something that's available by now, or is it in the pipeline of any
new release of Nginx or will it never be?
I'm just asking since I believe this might be a good feature to add since
CRL's could get very big when lots of certificate have been revoked, and
since it is not a realtime updating mechanism.
By using a OCSP, there is a little overhead of contacting the OCSP for
checking each client certificate that is being validated...
I believe this to be much more efficient than regularly
downloading/uploading a CRL and reloading Nginx. This process can fail on
multiple locations which makes it harder to track and a big disadvantage of
the CRL's is that they are not realtime updated, which is the case for
OCSP's.
This way revoking a certificate will cause it to immediately retract the
access to client certificate secured applications (for all new sessions).
Is it already supported in some version of Nginx or is it planned somewhere
in the future?
Many thanks,
Kind regards,
Francis Claessens.
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252893,259954#msg-259954
More information about the nginx
mailing list