nginx: ssl_stapling_verify: What exactly is being verified?

nginx ocsp
7,943

I found in Nginx souce code. the file ngx_event_openssl_stapling.c#L660:

OCSP_basic_verify(basic, chain, store,staple->verify ? OCSP_TRUSTOTHER :OCSP_NOVERIFY
if you config `ssl_stapling_verify` value is on, then `staple->verify` will true, next the function `OCSP_basic_verify` will use `OCSP_TRUSTOTHER ` param to verified.

then, I found the OCSP_basic_verify function in openssl libaray, it said:

Then the function already returns success if the flags contain OCSP_NOVERIFY or if the signer certificate was found in certs and the flags contain OCSP_TRUSTOTHER.

the more about is here: https://meto.cc/article/what-exactly-did-ssl_stapling_verify-verify

Share:
7,943

Related videos on Youtube

Bratwurstmobil
Author by

Bratwurstmobil

Updated on September 18, 2022

Comments

  • Bratwurstmobil
    Bratwurstmobil almost 2 years

    What exactly does the ssl_stapling_verify directive? Does it check if the signature of the answer is correct? The official nginx documentation is very vague in explaining this:

    https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify

    Enables or disables verification of OCSP responses by the server.

    For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.

  • EliaCereda
    EliaCereda about 7 years
    OCSP Stapling is controlled by the "ssl_stapling" directive and can be enabled independently of OCSP Stapling Verification. If verification is disabled the server simply forwards to the client the OCSP response it received from the CA, without performing any validation. Regarding the specific validations performed, I don't know for sure. It definitely includes checking the signature of the response and the validness of the certificate used to sign it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OCSP validation - unable to get local issuer certificate
Dart http.MultipartRequest not sending data to Lumen after relocating server to a different apache server, Postman works fine
Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response. (nginx)
Failed to start The nginx HTTP and reverse proxy server issue
How to use FastCGI globally and Basic Auth in sublocations in nginx?
unable to configure grafana with graphite
NGINX: remove part of url permanantly
How to configure nginx to try_files first, if not exists follow the request_uri
Reverse proxy from nginx to squid
"upstream prematurely closed connection while reading response header from upstream" with nginx, PostgreSQL and Mono on Ubuntu MVC4 app