"ssl_stapling" without configured "resolver" caches responder IP indefinitely

Maxim Dounin mdounin at mdounin.ru
Fri Jan 28 22:05:59 UTC 2022


Hello!

On Fri, Jan 28, 2022 at 01:17:34PM -0500, hablutzel1 wrote:

> Hi, while testing the latest NGINX source code around ~1.21.7, I’ve observed
> that enabling "ssl_stapling" without configuring a “resolver”, makes NGINX
> cache the OCSP responder IP indefinitely, so, if the CA later changes the
> OCSP responder IP, NGINX is still going to try to get OCSP queries from the
> old IP (possibly inoperative now), irrespective of the DNS record TTL.
> 
> Now, I'm aware of
> https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
> saying:
> 
> > For a resolution of the OCSP responder hostname, the resolver directive
> should also be specified.
> 
> And effectively, using the “resolver” directive, OCSP DNS records are
> refreshed, but it is not obvious at all what is going to happen if a
> "resolver" is not configured. Is there any documentation on this?
> Additionally, what is the reason to not use the default system DNS resolvers
> in the standard way (i.e. respecting DNS TTLs) instead of performing the
> resolution only once when no "resolver" is configured?

Standard system resolver does not provide non-blocking interface, 
which makes it unusable for nginx at runtime.

-- 
Maxim Dounin
http://mdounin.ru/



More information about the nginx mailing list