we have been informed by our CA that they will be moving their
OCSP-servers to "the cloud" - it was a fixed set of IPs before.
These fixed sets could relatively easily be entered as firewall rules
(and hosts-file entries, should DNS-resolution be unavailable).
Of course, they could as easily be targeted by Script-Kiddies and
Wannabe-Hackers as targets for a DDoS.
As such, I would need to allow outbound http-connections to the whole
internet, which is kind of exactly the opposite of what I want to do.
And that's ignoring for a moment the necessity to allow outbound DNS...
It would be cool if nginx would be able to do the stapling through a
nginx mailing list