Hi,
I was able to setup nignx with client certificate authentication and
OCSP
stapling. I however noticed that OCSP is used only for the nginx server
ssl
certificate.
It does not use OCSP for validating client certificates to see if a
client
is using a revoked certificate or not. Is ssl_crl the only way to
checked
for revoked client certificates or can nginx be configured to use OCSP
for
client certificates ?
Thanks.
Hello!
On Wed, Aug 27, 2014 at 11:51:08AM -0500, Mohammad Dhedhi wrote:
Hi,
I was able to setup nignx with client certificate authentication and OCSP
stapling. I however noticed that OCSP is used only for the nginx server ssl
certificate.
It does not use OCSP for validating client certificates to see if a client
is using a revoked certificate or not. Is ssl_crl the only way to checked
for revoked client certificates or can nginx be configured to use OCSP for
client certificates ?
No, nginx doesn’t support OCSP-based validation of client
certificates, it only supports OCSP stapling. If you want to
check revocation of client certificates, the only available option
is to use ssl_crl.
–
Maxim D.
http://nginx.org/
Hi,
Actually, I had the same questions.
Is this something that’s available by now, or is it in the pipeline of
any
new release of Nginx or will it never be?
I’m just asking since I believe this might be a good feature to add
since
CRL’s could get very big when lots of certificate have been revoked, and
since it is not a realtime updating mechanism.
By using a OCSP, there is a little overhead of contacting the OCSP for
checking each client certificate that is being validated…
I believe this to be much more efficient than regularly
downloading/uploading a CRL and reloading Nginx. This process can fail
on
multiple locations which makes it harder to track and a big disadvantage
of
the CRL’s is that they are not realtime updated, which is the case for
OCSP’s.
This way revoking a certificate will cause it to immediately retract the
access to client certificate secured applications (for all new
sessions).
Is it already supported in some version of Nginx or is it planned
somewhere
in the future?
Many thanks,
Kind regards,
Francis Claessens.
Posted at Nginx Forum:
Hello!
On Sun, Jun 28, 2015 at 12:20:06PM -0400, prozit wrote:
I believe this to be much more efficient than regularly
downloading/uploading a CRL and reloading Nginx. This process can fail on
multiple locations which makes it harder to track and a big disadvantage of
the CRL’s is that they are not realtime updated, which is the case for
OCSP’s.
This way revoking a certificate will cause it to immediately retract the
access to client certificate secured applications (for all new sessions).
Is it already supported in some version of Nginx or is it planned somewhere
in the future?
As of now, there are no plans to support OCSP-based validation of
client certificates.
–
Maxim D.
http://nginx.org/