I do not want to validate OCSP responses client-side, which are OK. I want to have details about the status nginx' validation of the initial OCSP query it did to the OCSP responder of the CA, especially when it goes wrong.
I noted that even though ssl_trusted_certificate is not set or set with a wrong (set of) certificate(s), a cached OCSP response will served by nginx to the client after an initial request has been made to a domain hosted by it and served through TLS. I want to know the consequences of having such a directive badly configured : - error.log message? Found nothing - modified OCSP response? Nope - ... What am I supposed to notice and where/when? --- *B. R.* On Tue, Mar 1, 2016 at 5:33 PM, Alt <[email protected]> wrote: > Hello, > > You can check with this command found on this website: > https://unmitigatedrisk.com/?p=100 > openssl s_client -connect login.live.com:443 -tls1 -tlsextdebug -status > > If everything goes well, you should find something like: > "OCSP response: > ====================================== > OCSP Response Data: > OCSP Response Status: successful (0x0) > Response Type: Basic OCSP Response > ..." > > If there's no stapling, you'll get: > "OCSP response: no response sent". > > Please note: when you restart nginx, you won't get an OCSP answer > immediatly. You'll have to visit the URL and wait a few seconds before > having the stapling working for the next request. IIRC, this behavior is > because OCSP servers may be slow to answer. > > Best Regards > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,264967,264977#msg-264977 > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
