Hi Lukas, On Tue, Nov 06, 2012 at 04:57:59PM +0100, Lukas Tribus wrote: > > Don't know if it helps without some knowledge of the nginx source code, but > here [1] you can find the patches applied to nginx to introduce ocsp support.
Thanks for the pointer. Anyway as you suspect, source code alone doesn't tell much about the real benefits to expect from this feature, nor how it's supposed to be used (especially by clients). > Its doesn't seem to be trivial to implement though, because you also need to > run (at regular intervals) an OCSP query towards the CA's OCSP server... Amusingly, running a task at regular intervals is the easiest part to do, it's just like health checks. We could decide to dedicate such a task per stapling-enabled bind line and it would not be much of an issue. The overhead would not even be measurable if we were working at insane refresh rates. What's unclear to me is how many clients do support this nowadays, how many servers do, whether or not users are willing to allow outgoing connections to fetch such cert statuses, whether or not non-stapling aware clients would be impacted by the feature (eg: increased handshake size due to advertised extension and data to everyone) etc... I think we need to take more time to study this in details, but until someone comes with a detailed description of what this will bring to his site, I'm not sure anyone will spend more time on this :-/ Regards, Willy
