OCSP stapling and resolver

Grzegorz Kulewski gk at leniwiec.biz
Tue Sep 26 15:24:26 UTC 2017

W dniu 26.09.2017 15:20, Maxim Dounin pisze:
> Hello!
> On Tue, Sep 26, 2017 at 03:48:57AM +0200, Grzegorz Kulewski wrote:
>> Is resolver in nginx still needed for OCSP stapling?
> Yes.
>> I am getting a warning from nginx if resolver is not supplied 
>> but at the same time both Qualys and openssl s_client output 
>> suggest OCSP stapling is working. Strange.
> The warning means that nginx will use IP addresses of the OCSP 
> responder obtained during configuration parsing, and it won't be 
> able to switch to different IP addresses.  That is, everything 
> will work unless OCSP responder will be moved to different IP 
> addresses.

Thank you very much for this explanation.

I know that this behavior is compatible with proxy_pass resolving policy but wouldn't it be better to fail fast in this scenario? Doing what nginx is currently doing is bound to surprise some people, especially if must staple is used.

If you think it's not possible to change it then maybe the warning can be improved to say exactly what you said?

Also, maybe there should be some new configuration directive like: i_really_want_to_resolve_only_at_startup yes; set to no by default - so the user will be forced to be aware of the problem?

Grzegorz Kulewski

More information about the nginx mailing list