Hello! On Fri, Jan 04, 2019 at 05:57:56AM +0100, ѽ҉ḳ℠ wrote:
> On 04.01.2019 05:35, Maxim Dounin wrote: > > The "ssl_stapling_file" directive needs an OCSP response obtained > from your certificate authority, not a certificate. As you are > trying to put a certificate instead, parsing expectedly fails. > > Thanks for the explanation which was not clear to me from the online > documentation. The documentation is pretty clear - it says you need an OCSP response, and it references appropriate openssl subcommand to generate one (http://nginx.org/r/ssl_stapling_file): : When set, the stapled OCSP response will be taken from the specified file : instead of querying the OCSP responder specified in the server certificate. : : The file should be in the DER format as produced by the “openssl ocsp” : command. > So basically nginx does not work as an OCSP responder > for domains with self-signed certificates unless the domain deploys its > own responder. Too bad as I had hoped that the "ssl_stapling_file" > directive would be able to process an OSCP certificate rather than a > response from a responder. Using OCSP (or any other revocation checking mechanism) with self-signed certificates simply does not make sense: as long as the certificate is compromissed, everything signed by this certificate is compromissed too, including any possible OCSP responses. OCSP stapling might make sense if you are instead running an internal CA and use certificates signed by this CA, but the CA does not have an OCSP responder configured. In this case, you can produce an OCSP response using the "openssl ocsp" command. Please refer to its manual page ("man ocsp") for details. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx