Open Cryptophobia opened 6 years ago
This is not so easy to implement.
In order to use OCSP stapling, each vHost would have to specify the ssl_trusted_certificate
, which is a PEM file containing only the certificate chain (intermediate certificate(s)).
Because Workflow stores the intermediates bundled with the certificate, this would mean parsing the certificate bundle to extract the intermediate certs.
In addition to that, the router needs a proper resolver
set up, to be able to resolve the hostname of the OCSP server.
We could grab the resolver from the /etc/resolv.conf
during startup:
test `sysctl -n net.ipv6.conf.all.disable_ipv6` = 1 && ipv6=off || ipv6=on
export RESOLVERS=`awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf`"ipv6=$ipv6"
The IPv6 check is needed, because the OCSP responded might have AAAA records, that are unreachable, if the router does not have IPv6 enabled.
The snippet was taken from some internal NGINX proxies I'm running on K8s.
From @helgi on September 22, 2016 14:43
Performance and more
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
Copied from original issue: deis/router#257