NGINX not checking OCSP for revoked certificates

[Zeal Vora]

Hi

We've implemented basic Certificate Based Authentication for Nginx.

However whenever the certificate is revoked, Nginx still allows the client
( with revoked certificate ) to access the website.

I verified manually with openssl with OCSP URI and OCSP seems to be working
properly. Nginx doesn't seem to be forwarding request to OCSP before
allowing client.

I tried to specify the ssl_crl but as soon as I put it, all the clients
starts to receive 400 Bad Request.

Here is my sample relevant Nginx Config :-


    ### SSL cert files ###

   ssl_client_certificate /test/ca.crt;
   ssl_verify_client   optional;

    ssl_crl /prod-adcs/latest.pem;
    ssl_verify_depth 2;


Is there something that I'm missing here ?


Any help will be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20161013/044b1890/attachment.html>