nghttpx: Verify OCSP response #929

tatsuhiro-t · 2017-05-24T15:12:39Z

At least we should make sure that the OCSP response is targeted to the
expected certificate. This is important because we pass the file path
to the external script, and if the file is replaced because of
renewal, and nghttpx has not reloaded its configuration, the
certificate nghttpx has loaded and the one included in the file
differ. Verifying the OCSP response detects this, and avoids to send
wrong OCSP response.

At least we should make sure that the OCSP response is targeted to the expected certificate. This is important because we pass the file path to the external script, and if the file is replaced because of renewal, and nghttpx has not reloaded its configuration, the certificate nghttpx has loaded and the one included in the file differ. Verifying the OCSP response detects this, and avoids to send wrong OCSP response.

tatsuhiro-t added enhancement app/nghttpx labels May 24, 2017

tatsuhiro-t added 2 commits May 25, 2017 23:14

nghttpx: Add --no-verify-ocsp to disable OCSP response verification

74c2f12

tatsuhiro-t force-pushed the nghttpx-verify-ocsp branch from b58573f to 74c2f12 Compare May 25, 2017 14:15

tatsuhiro-t added this to the v1.23.0 milestone May 25, 2017

tatsuhiro-t merged commit 74c2f12 into master May 25, 2017

tatsuhiro-t deleted the nghttpx-verify-ocsp branch May 25, 2017 14:38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nghttpx: Verify OCSP response #929

nghttpx: Verify OCSP response #929

tatsuhiro-t commented May 24, 2017

nghttpx: Verify OCSP response #929

nghttpx: Verify OCSP response #929

Conversation

tatsuhiro-t commented May 24, 2017