OCSP, client certificate verification with chained CA

Maxim Dounin mdounin at mdounin.ru
Thu Jan 6 20:36:03 UTC 2022


On Wed, Jan 05, 2022 at 03:33:29PM +0000, Marti, Ueli (Marin) wrote:

> Ok, good point thanks.
> However, it seems nginx accepts only one ssl_ocsp_responder 
> instance. Or is there a syntax to specify multiple instances ?
> So this would need to be solved on the responder side which 
> would need to be able to handle multiple CAs. Openssl ocsp 
> doesn't seem to support that.
> Any chance for nginx to support multiple ssl_ocsp_responder 
> instances in the future ?

Normally you shouldn't use ssl_ocsp_responder responder at all: 
instead, certificate's Authority Information Access (AIA) 
extension is used to obtain appropriate OCSP responder address.

The ssl_ocsp_responder directive is something to be used to 
manually override information from AIA extension, either for 
testing or for complex configurations when you want to redefine 
OCSP server address for some reason.  If you do this, you can 
distinguish OCSP requests to different certificates based on the 
information in the requests, such as issuer name and issuer key 
hashes.  If the OCSP responder you use is not capable of doing 
this, consider removing the ssl_ocsp_responder directive, so nginx 
will use the AIA extension instead.

(Note well that using OpenSSL's builtin OCSP responder for 
anything but tests might not be a good idea.)

Maxim Dounin

More information about the nginx mailing list