On Fri, 2 Jun 2023 at 21:55, Willy Tarreau <w...@1wt.eu> wrote: > Initially during the design phase we thought about having 3 states: > "off", "on", "auto", with the last one only enabling updates for certs > that already had a .ocsp file. But along discussions with some users > we were told that it was not going to be that convenient (I don't > remember why, but I think that RĂ©mi and/or William probably remember > the reason), and it ended up dropping "auto". > > Alternately maybe instead of enabling for all certs, what would be > useful would be to just change the default, because if you have 100k > certs, it's likely that 99.9k work one way and the other ones the other > way, and what you want is to indicate the default and only mention the > exception for those concerned.
I suggest we make it configurable on the bind line like other ssl options, so it will work for the common use cases that don't involve crt-lists, like a simple crt statement pointing to a certificate or a directory. It could also be a global option *as well*, but imho it does need to be a bind line configuration option, just like strict-sni, alpn and ciphers, so we can enable it specifically (per frontend, per bind line) without requiring crt-list. Lukas
