Client Certificate OCSP validate

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Client Certificate OCSP validate

satay
Hi,
I'm wondering that if NGINX currently(I use 1.14.1) support client
certificate OCSP validation?
The use case is when client try to login our web application, NGINX sit in
front of the application as reverse-proxy, does NGINX can verify the client
cert to make sure the client cert doesn't revoked by authority?

If yes, my configuration below is correct?

        ssl_stapling            on;
        resolver                8.8.8.8;
        ssl_stapling_responder <a href="http://10.10.10.10:2560;">http://10.10.10.10:2560;
        ssl_stapling_verify     on;
        ssl_trusted_certificate /etc/nginx/test/ca_chains.pem;


Thanks in advanced.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,283763,283763#msg-283763

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Client Certificate OCSP validate

Frank Liu

On Apr 13, 2019, at 12:16 AM, itplayer <[hidden email]> wrote:

Hi,
I'm wondering that if NGINX currently(I use 1.14.1) support client
certificate OCSP validation?
The use case is when client try to login our web application, NGINX sit in
front of the application as reverse-proxy, does NGINX can verify the client
cert to make sure the client cert doesn't revoked by authority?

If yes, my configuration below is correct?

       ssl_stapling            on;
       resolver                8.8.8.8;
       ssl_stapling_responder http://10.10.10.10:2560;
       ssl_stapling_verify     on;
       ssl_trusted_certificate /etc/nginx/test/ca_chains.pem;


Thanks in advanced.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,283763,283763#msg-283763

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Client Certificate OCSP validate

satay
Hi Frank,
Yes, I see this ticket. So does it mean that NGINX still don't support this
feature?
Any alternative way to do the same thing?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,283763,283765#msg-283765

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx