Forum: NGINX OCSP stapling for client certificates

Ca21cb4fbbf09d17f65fdc4a014f04bb?d=identicon&s=25 Mohammad Dhedhi (Guest)
on 2014-08-27 18:51
(Received via mailing list)
Hi,

I was able to setup nignx with client certificate authentication and
OCSP
stapling. I however noticed that OCSP is used only for the nginx server
ssl
certificate.

It does not use OCSP for validating client certificates to see if a
client
is using a revoked certificate or not. Is ssl_crl the only way to
checked
for revoked client certificates or can nginx be configured to use OCSP
for
client certificates ?


Thanks.
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-08-27 18:56
(Received via mailing list)
Hello!

On Wed, Aug 27, 2014 at 11:51:08AM -0500, Mohammad Dhedhi wrote:

> Hi,
>
> I was able to setup nignx with client certificate authentication and OCSP
> stapling. I however noticed that OCSP is used only for the nginx server ssl
> certificate.
>
> It does not use OCSP for validating client certificates to see if a client
> is using a revoked certificate or not. Is ssl_crl the only way to checked
> for revoked client certificates or can nginx be configured to use OCSP for
> client certificates ?

No, nginx doesn't support OCSP-based validation of client
certificates, it only supports OCSP stapling.  If you want to
check revocation of client certificates, the only available option
is to use ssl_crl.

--
Maxim Dounin
http://nginx.org/
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.