OCSP, ssl_trusted_certificate, and ssl_stapling_verify

In setting up OCSP stapling on 1.5.10 I’ve found it behaving in a way
which is opposite to what I perceive is documented. There it states that
the contents of ssl_trusted_certificate are not sent to the client.
However
when I enable ssl_stapling_verify, which requires the inclusion of in
this
case the GeoTrust root certificate for the OCSP response to work, this
root
certificate is included in the response back to the client.
Am I just interpreting the documentation incorrectly? It’s not a
dire
issue, simply unexpected, and when including the root cert the SSL
handshake increases from 4434 bytes to 5293.

__________________Scott LarsonSystems AdministratorWiredrive/LA310 823
8238 ext. 1106310 943 2078 faxwww.wiredrive.com
http://www.wiredrive.com/www.twitter.com/wiredrive
http://www.twitter.com/wiredrivewww.facebook.com/wiredrive
http://www.wiredrive.com/facebook

Hello!

On Wed, Mar 05, 2014 at 11:49:24AM -0800, Scott Larson wrote:

 In setting up OCSP stapling on 1.5.10 I've found it behaving in a way

which is opposite to what I perceive is documented. There it states that
the contents of ssl_trusted_certificate are not sent to the client. However
when I enable ssl_stapling_verify, which requires the inclusion of in this
case the GeoTrust root certificate for the OCSP response to work, this root
certificate is included in the response back to the client.
Am I just interpreting the documentation incorrectly? It’s not a dire
issue, simply unexpected, and when including the root cert the SSL
handshake increases from 4434 bytes to 5293.

The difference between ssl_trusted_certificate and
ssl_client_certificate is that latter is sent to a client in a
certificate request, in a list of distinguished names of accepted
certifcate authorities, see here:

http://tools.ietf.org/html/rfc5246#section-7.4.4

What you see is likely auto chain building as done by OpenSSL if
certificate chain isn’t explicitly specified. It shouldn’t happen
as long as there is at least one intermediate cert in
ssl_certificate file.


Maxim D.
http://nginx.org/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs