Forum: NGINX OCSP stapling for client certificates

Ca21cb4fbbf09d17f65fdc4a014f04bb?d=identicon&s=25 Mohammad Dhedhi (Guest)
on 2014-08-27 18:51
(Received via mailing list)
Hi,

I was able to setup nignx with client certificate authentication and
OCSP
stapling. I however noticed that OCSP is used only for the nginx server
ssl
certificate.

It does not use OCSP for validating client certificates to see if a
client
is using a revoked certificate or not. Is ssl_crl the only way to
checked
for revoked client certificates or can nginx be configured to use OCSP
for
client certificates ?


Thanks.
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-08-27 18:56
(Received via mailing list)
Hello!

On Wed, Aug 27, 2014 at 11:51:08AM -0500, Mohammad Dhedhi wrote:

> Hi,
>
> I was able to setup nignx with client certificate authentication and OCSP
> stapling. I however noticed that OCSP is used only for the nginx server ssl
> certificate.
>
> It does not use OCSP for validating client certificates to see if a client
> is using a revoked certificate or not. Is ssl_crl the only way to checked
> for revoked client certificates or can nginx be configured to use OCSP for
> client certificates ?

No, nginx doesn't support OCSP-based validation of client
certificates, it only supports OCSP stapling.  If you want to
check revocation of client certificates, the only available option
is to use ssl_crl.

--
Maxim Dounin
http://nginx.org/
2974d09ac2541e892966b762aad84943?d=identicon&s=25 prozit (Guest)
on 2015-06-28 18:20
(Received via mailing list)
Hi,

Actually, I had the same questions.
Is this something that's available by now, or is it in the pipeline of
any
new release of Nginx or will it never be?

I'm just asking since I believe this might be a good feature to add
since
CRL's could get very big when lots of certificate have been revoked, and
since it is not a realtime updating mechanism.

By using a OCSP, there is a little overhead of contacting the OCSP for
checking each client certificate that is being validated...
I believe this to be much more efficient than regularly
downloading/uploading a CRL and reloading Nginx. This process can fail
on
multiple locations which makes it harder to track and a big disadvantage
of
the CRL's is that they are not realtime updated, which is the case for
OCSP's.
This way revoking a certificate will cause it to immediately retract the
access to client certificate secured applications (for all new
sessions).

Is it already supported in some version of Nginx or is it planned
somewhere
in the future?

Many thanks,
Kind regards,

Francis Claessens.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252893,259954#msg-259954
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2015-07-06 01:44
(Received via mailing list)
Hello!

On Sun, Jun 28, 2015 at 12:20:06PM -0400, prozit wrote:

> I believe this to be much more efficient than regularly
> downloading/uploading a CRL and reloading Nginx. This process can fail on
> multiple locations which makes it harder to track and a big disadvantage of
> the CRL's is that they are not realtime updated, which is the case for
> OCSP's.
> This way revoking a certificate will cause it to immediately retract the
> access to client certificate secured applications (for all new sessions).
>
> Is it already supported in some version of Nginx or is it planned somewhere
> in the future?

As of now, there are no plans to support OCSP-based validation of
client certificates.

--
Maxim Dounin
http://nginx.org/
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.