New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCSP Stapling #2240
OCSP Stapling #2240
Conversation
8981f19
to
ac810a8
Compare
ff5b029
to
3db4000
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I confess, I'm a little sad that we're not following the state.directory
pattern. Ah well.
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Adds basic OCSP Stapling support in the server for client connections. To enable, the server has to start with the following:
When OCSP is enabled this way, in case a certificate has a 'status_request' // Must Staple flag toggled, then it will make an
HTTP request to the OCSP remote url and fetch staples that will be cached on disk and serve the staples to the clients so that they can confirm the response. The TLS certificates can change at anytime and OCSP stapling is reloading aware.
To store OCSP Staples to disk, a store dir can be configured as follows:
Or in case there is a store dir for JetStream that will be used instead:
The OCSP staples will be stored at a created directory underneath like
$store_dir/ocsp
./cc @nats-io/core