On Wed, Sep 29, 2021 at 9:42 PM Jeffrey 'jf' Lim <jfs.wo...@gmail.com> wrote: > > On Wed, Sep 29, 2021 at 9:24 PM Maxim Dounin <mdou...@mdounin.ru> wrote: > > > > Hello! > > > > On Wed, Sep 29, 2021 at 12:47:58PM +0800, Jeffrey 'jf' Lim wrote: > > > > > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling > > > has a note about not needing 'ssl_trusted_certificate' if > > > ssl_certificate has intermediate certificates. I do not see a similar > > > note for ssl_stapling_verify > > > (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify) > > > though. Is this also the same? > > > > No. To verify OCSP response OpenSSL needs a full chain up to a > > trusted root certificate. > > > > Ok. I am reading the description for ssl_stapling again, and am > wanting to clarify a few things. > > if "ssl_stapling on": > if the certificate of the server certificate issuer is present in > <ssl_certificate>, we do not need to have <ssl_trusted_certificate> > otherwise <ssl_trusted_certificate> must have the certificate of the > server certificate issuer > > if "ssl_stapling_verify on": > if <ssl_certificate> has the full chain, we *still* need > <ssl_trusted_certificate> > > Is my understanding correct? >
sorry, but can I get a clarification on whether my understanding is correct? thanks, -jf _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
