Hello! On Sun, Jun 28, 2015 at 12:20:06PM -0400, prozit wrote:
> Actually, I had the same questions. > Is this something that's available by now, or is it in the pipeline of any > new release of Nginx or will it never be? > > I'm just asking since I believe this might be a good feature to add since > CRL's could get very big when lots of certificate have been revoked, and > since it is not a realtime updating mechanism. > > By using a OCSP, there is a little overhead of contacting the OCSP for > checking each client certificate that is being validated... > I believe this to be much more efficient than regularly > downloading/uploading a CRL and reloading Nginx. This process can fail on > multiple locations which makes it harder to track and a big disadvantage of > the CRL's is that they are not realtime updated, which is the case for > OCSP's. > This way revoking a certificate will cause it to immediately retract the > access to client certificate secured applications (for all new sessions). > > Is it already supported in some version of Nginx or is it planned somewhere > in the future? As of now, there are no plans to support OCSP-based validation of client certificates. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
