thanks for suggestion. Some more questions?
a when I use create ocsp request api, the certificate data must be chain certificated data?
then I should first use get_responder_from_der_chain to get CA url and send ocsp request to url, to get the ocsp response, cache the response.
when client want to ssl handshake
a first get the ocsp response from the cache
b check whether the ocsp valid
c if valid, just set the status, if not, just let the client to start ocsp request normally and we just ngx.timeat to get the new ocsp response and cache.
在 2015年10月10日星期六 UTC+8下午2:59:14,Zi Lin写道:
OCSP requests/response can be created before hand. OCSP response is usually valid for 7 days. And then you can simply set the resp in the lua script.
You can also do it at the time you choose the certificate, but waiting on getting a OCSP response incurs too much delay so you better do it separately in a non-blocking cosocket and caching the response. And of course, since you can't wait for the response, you can't do OCSP stapling for the first TLS handshake.
Hope that helps.
Zi
On Friday, October 9, 2015 at 2:19:56 AM UTC-7, 杨阳 wrote:
Hi, agentzh
we use ssl_ceritficate_by_lua to give client dynamic certificate now, and we also want to provide ocsp stapling functions, and I find you have already support this, I wonder how to use these functions? Below is what I understand
a get the root&intermedate pem format certificate data
b change pem to der
c use ssl.get_ocsp_responder_from_der_chain to construct oscp response
d use ssl.valid_ocsp_response
e if ok, ssl.set_ocsp_status_resp
but I don't know when to create ocsp request and how to get the response, and how to deploy the directive in nginx.conf
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/full_chain.pem;
ssl_certificate_by_lua xxx.lua;