Hello, On Mon, Jan 25, 2016 at 03:41:25pm +0000, Alessandro Ghedini wrote: > > > > > > The "full" in turn doesn't seem to be correct feature, as stapled > > > > > > OCSP response may be legitimately absent for multiple reasons. > > > > > > > > > > If you control the upstream servers than I don't see any reason why > > > > > you > > > > > couldn't just enable OCSP stapling unconditionally and enforce this on > > > > > the downstream with the "full" option. Maybe I'm missing something? > > > > > > > > Much like any other arbitrary requirement, this one of course can > > > > be enforced as well. The question is how this is different from > > > > other arbitrary requirements we don't provide options for. > > > > > > nginx's proxy module already supports checking CRLs, which are an even > > > bigger > > > pain to deal with, and full OCSP has so many problems that it's not > > > really a > > > viable option in practice (see above). As far as certificate revocation > > > goes > > > that's it, there aren't any more "arbitrary requirements" as far as I > > > know. so > > > it seems to me that upstreadm OCSP stapling checking would be a fairly > > > nice and > > > useful improvement over the current status and while my patches aren't > > > exactly > > > simple they are not that compilcated either. > > > > You are essentially trying to push "must staple" extension into > > nginx configuration. And I'm not fan of both the "must staple" > > and what you are trying to do. > > > > OCSP stapling was designed as an optimization for OCSP. That is, > > if OCSP stapling is used, it saves an OCSP lookup. But > > introducing "must staple" changes things a lot: now servers are > > required to provide OCSP responses even if they can't do so for > > some reason. You can't start answering requests till you've > > loaded an OCSP response to staple it, and you essentially never know > > if will be able to start server or not. > > > > I tend to think that "must staple" introduces much more > > complexity than it solves. And the same applies to the > > configuration directive introduced by your patch. > > Would it make a difference if I added full (not just stapling) OCSP support to > NGINX's proxy module using stapling only as an optimization as you say, or are > you against this regrdless? > > That should address your concerns I think, and the code to support OCSP is > already in place anyway. Of course it would be disabled by default, so the > decision of whether enabling it is worth the trouble would be left to the > users.
Ping? Cheers _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel