Welcome! Log In Create A New Profile

Advanced

OCSP stapling priming and logging

Posted by Thomas Valentine 
Thomas Valentine
OCSP stapling priming and logging
January 08, 2018 11:50AM
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: OCSP stapling priming and logging
January 09, 2018 03:10PM
Hello!

On Mon, Jan 08, 2018 at 11:38:56PM +1300, Thomas Valentine wrote:

> I've spent a bit of time setting up my server with SSL, and checking
> for OCSP stapling to be working - couldn't work out why it wasn't
> sending the OCSP reply but it's as I was querying the server as the
> first hit before it had primed the response. This isn't mentioned in
> the online docs as to how it actually works. There is also nothing in
> the logs saying what is going on - unless using debug mode.
>
> Perhaps within ngx_http_ssl_module.c something could be added to log
> when an OCSP query takes place (without requiring a debug log).

OCSP requests are expected to happen on regular basis when OCSP
Stapling is enabled, and logging them all to the error log might
not be a good idea. Rather, it logs if there are any errors.

> I assume at some point in the past the option to prime the server has
> been considered and not implemented? I know a server script could be
> written to do this - perhaps within an nginx startup - and get nginx to
> use the ssl_stapling_file but this seems messy.

OCSP Stapling is an optimization, and nothing breaks if it doesn't
work. You don't need to prime anything (unless you are using the
"Must Staple" certificate extension, which is completely different
story and wasn't even existed when OCSP Stapling was implemented
in nginx).

You may also find these tickets interesting:

https://trac.nginx.org/nginx/ticket/1413
https://trac.nginx.org/nginx/ticket/990
https://trac.nginx.org/nginx/ticket/812

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Tom
Re: OCSP stapling priming and logging
January 15, 2018 03:00AM
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login