On Wed, Sep 29, 2021 at 9:24 PM Maxim Dounin <mdou...@mdounin.ru> wrote: > > Hello! > > On Wed, Sep 29, 2021 at 12:47:58PM +0800, Jeffrey 'jf' Lim wrote: > > > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling > > has a note about not needing 'ssl_trusted_certificate' if > > ssl_certificate has intermediate certificates. I do not see a similar > > note for ssl_stapling_verify > > (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify) > > though. Is this also the same? > > No. To verify OCSP response OpenSSL needs a full chain up to a > trusted root certificate. >
Ok. I am reading the description for ssl_stapling again, and am wanting to clarify a few things. if "ssl_stapling on": if the certificate of the server certificate issuer is present in <ssl_certificate>, we do not need to have <ssl_trusted_certificate> otherwise <ssl_trusted_certificate> must have the certificate of the server certificate issuer if "ssl_stapling_verify on": if <ssl_certificate> has the full chain, we *still* need <ssl_trusted_certificate> Is my understanding correct? thanks, -jf _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx