10.01.2018, 03:02, "Maxim Dounin" <mdou...@mdounin.ru>:
Hello!
On Mon, Jan 08, 2018 at 11:38:56PM +1300, Thomas Valentine wrote:
I've spent a bit of time setting up my server with SSL, and checking
for OCSP stapling to be working - couldn't work out why it wasn't
sending the OCSP reply but it's as I was querying the server as the
first hit before it had primed the response. This isn't mentioned in
the online docs as to how it actually works. There is also nothing in
the logs saying what is going on - unless using debug mode.
Perhaps within ngx_http_ssl_module.c something could be added to log
when an OCSP query takes place (without requiring a debug log).
OCSP requests are expected to happen on regular basis when OCSP
Stapling is enabled, and logging them all to the error log might
not be a good idea. Rather, it logs if there are any errors.
What about under the 'info' or 'notice' log level? Would that be a fair balance between information and not spamming the logs when error level is set to 'error'?
I assume at some point in the past the option to prime the server has
been considered and not implemented? I know a server script could be
written to do this - perhaps within an nginx startup - and get nginx to
use the ssl_stapling_file but this seems messy.
OCSP Stapling is an optimization, and nothing breaks if it doesn't
work. You don't need to prime anything (unless you are using the
"Must Staple" certificate extension, which is completely different
story and wasn't even existed when OCSP Stapling was implemented
in nginx).
You may also find these tickets interesting:
https://trac.nginx.org/nginx/ticket/1413
https://trac.nginx.org/nginx/ticket/990
https://trac.nginx.org/nginx/ticket/812
Some good info in those links. I disagree, but not my web server.
--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
