nginx:ssl_stapling_verify:究竟要验证什么?

ssl_stapling_verify指令究竟是什么?是否检查答案的签名是否正确?官方的nginx文档在解释这个问题时非常模糊:

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify

Enables or disables verification of OCSP responses by the server.

For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.

最佳答案
Wikipedia says,
“OCSP装订,正式称为TLS证书状态请求扩展,是用于检查X.509数字证书撤销状态的在线证书状态协议(OCSP)的替代方法.它允许证书的演示者承载资源通过附加(“装订”)CA签署的时间戳OCSP响应来提供OCSP响应所涉及的成本,该响应由CA签署到初始TLS握手,从而消除了客户联系CA的需要.

强调补充说.

该指令将OCSP装订的“替代方法”打开或关闭.默认情况下,未启用OCSP装订.您可以使用它启用它

ssl_stapling_verify   on;

转载注明原文:nginx:ssl_stapling_verify:究竟要验证什么? - 代码日志