what happy when nginx cannot request certificate status using ssl_stapling_verify

classic Classic list List threaded Threaded
3 messages Options
xrd
Reply | Threaded
Open this post in threaded view
|

what happy when nginx cannot request certificate status using ssl_stapling_verify

xrd
Hello,

I enable "ssl_stapling" and "ssl_stapling_verify", it can work fine. But
sometime, I can find a few error messages in error.log, ".....Operation
timed out) while requesting certificate status....", it seem the OCSP server
of my SSL provider  cannot be connected at that time.

I want to know, what happy when nginx cannot request certificate status? the
user can visit website correctly? thank you so much.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286720,286720#msg-286720

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: what happy when nginx cannot request certificate status using ssl_stapling_verify

J.R.
> I enable "ssl_stapling" and "ssl_stapling_verify", it can work fine. But
> sometime, I can find a few error messages in error.log, ".....Operation
> timed out) while requesting certificate status....", it seem the OCSP server
> of my SSL provider  cannot be connected at that time.
>
> I want to know, what happy when nginx cannot request certificate status? the
> user can visit website correctly? thank you so much.

1. The OCSP certificate is valid for much longer than the intervals
your server renews it at, so even if you can't connect for a while it
should still be valid.
2. The client will contact the certificate's OCSP server directly if
you don't send the OCSP cert (or it's expired) for verification.
3. The above #2 statement assumes your SSL Cert was NOT generated with
"Must Staple". If it is, then you would definitely need a valid ocsp
cert copy to send to clients, otherwise they will get an error.

I see several failed attempts in my error log every day, it happens...
Unless you have dozens & dozens of them from the same IP, then I
wouldn't worry about it.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
xrd
Reply | Threaded
Open this post in threaded view
|

Re: what happy when nginx cannot request certificate status using ssl_stapling_verify

xrd
In reply to this post by xrd
Hello J.R., thank you, thanks.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286720,286736#msg-286736

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx