Opened 7 years ago

Closed 5 years ago

#1534 closed enhancement (fixed)

OCSP client certificate validation

Reported by: gfrankliu@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.13.x
Keywords: OCSP client certificate Cc:
uname -a: Linux
nginx -V: 1.14.0

Description

As discussed here https://forum.nginx.org/read.php?2,252893,252895
It would be great if nginx can support using OCSP for validating client certificates.

Change History (8)

comment:1 by laurivosandi@…, 7 years ago

I am also interested in this feature

comment:2 by maxim, 6 years ago

Milestone: 1.15nginx-1.15

Milestone renamed

comment:3 by boardbloke@…, 6 years ago

+1 We have a number of use cases that require Mutual TLS with OCSP responder checking.

We would really like to be able to use NGINX for this, but presently have no option but to use competitor products

comment:4 by maxim, 6 years ago

Milestone: nginx-1.15

Ticket retargeted after milestone closed

comment:5 by sempercr@…, 6 years ago

Again as stated by my colleague in a previous post, we have several use cases that require Mutual TLS with OCSP responder checking. Since we have already implemented Nginx within our Ecosystem, we would like to move forward with a solution from the NGINX team. Please look into providing this as this would benefit the community as a hole.

comment:6 by kurbar@…, 5 years ago

Estonia uses OCSP to verify client certificate validity for national ID cards. This feature would be awesome as it would make identifications more effective.

comment:7 by Roman Arutyunyan, 5 years ago

In 7653:8409f9df6219/nginx:

SSL: client certificate validation with OCSP (ticket #1534).

OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".

When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.

comment:8 by Roman Arutyunyan, 5 years ago

Resolution: fixed
Status: newclosed

Fix committed.

Note: See TracTickets for help on using tickets.