OCSP stapling for client certificates

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

OCSP stapling for client certificates

Mohammad Dhedhi
Hi,

I was able to setup nignx with client certificate authentication and OCSP stapling. I however noticed that OCSP is used only for the nginx server ssl certificate.

It does not use OCSP for validating client certificates to see if a client is using a revoked certificate or not. Is ssl_crl the only way to checked for revoked client certificates or can nginx be configured to use OCSP for client certificates ?


Thanks.

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling for client certificates

Maxim Dounin
Hello!

On Wed, Aug 27, 2014 at 11:51:08AM -0500, Mohammad Dhedhi wrote:

> Hi,
>
> I was able to setup nignx with client certificate authentication and OCSP
> stapling. I however noticed that OCSP is used only for the nginx server ssl
> certificate.
>
> It does not use OCSP for validating client certificates to see if a client
> is using a revoked certificate or not. Is ssl_crl the only way to checked
> for revoked client certificates or can nginx be configured to use OCSP for
> client certificates ?

No, nginx doesn't support OCSP-based validation of client
certificates, it only supports OCSP stapling.  If you want to
check revocation of client certificates, the only available option
is to use ssl_crl.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling for client certificates

vedranf
Hi,

Actually, I had the same questions.
Is this something that's available by now, or is it in the pipeline of any
new release of Nginx or will it never be?

I'm just asking since I believe this might be a good feature to add since
CRL's could get very big when lots of certificate have been revoked, and
since it is not a realtime updating mechanism.

By using a OCSP, there is a little overhead of contacting the OCSP for
checking each client certificate that is being validated...
I believe this to be much more efficient than regularly
downloading/uploading a CRL and reloading Nginx. This process can fail on
multiple locations which makes it harder to track and a big disadvantage of
the CRL's is that they are not realtime updated, which is the case for
OCSP's.
This way revoking a certificate will cause it to immediately retract the
access to client certificate secured applications (for all new sessions).

Is it already supported in some version of Nginx or is it planned somewhere
in the future?

Many thanks,
Kind regards,

Francis Claessens.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252893,259954#msg-259954

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling for client certificates

Maxim Dounin
Hello!

On Sun, Jun 28, 2015 at 12:20:06PM -0400, prozit wrote:

> Actually, I had the same questions.
> Is this something that's available by now, or is it in the pipeline of any
> new release of Nginx or will it never be?
>
> I'm just asking since I believe this might be a good feature to add since
> CRL's could get very big when lots of certificate have been revoked, and
> since it is not a realtime updating mechanism.
>
> By using a OCSP, there is a little overhead of contacting the OCSP for
> checking each client certificate that is being validated...
> I believe this to be much more efficient than regularly
> downloading/uploading a CRL and reloading Nginx. This process can fail on
> multiple locations which makes it harder to track and a big disadvantage of
> the CRL's is that they are not realtime updated, which is the case for
> OCSP's.
> This way revoking a certificate will cause it to immediately retract the
> access to client certificate secured applications (for all new sessions).
>
> Is it already supported in some version of Nginx or is it planned somewhere
> in the future?

As of now, there are no plans to support OCSP-based validation of
client certificates.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
xrd
Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling for client certificates

xrd
Other than CRL, any other alternative way we can do OCSP validation in the
pipeline?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,252893,283766#msg-283766

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
xrd
Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling for client certificates

xrd
I have the same question ast itplayer: Other than CRL, any other alternative
way we can do OCSP validation in the pipeline?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,252893,286405#msg-286405

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling for client certificates

Frank Liu

On Dec 4, 2019, at 9:31 AM, ramirezc <[hidden email]> wrote:

I have the same question ast itplayer: Other than CRL, any other alternative
way we can do OCSP validation in the pipeline?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,252893,286405#msg-286405

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx