openresty
Extracting 'nextUpdate' from OCSP stapling responses
We have been playing with ngx.ocsp. Ideally, we'd like to cache the CA's responses. Is there a way to find for how long the responses are valid, similar to https://github.com/indutny/ocsp/blob/master/lib/ocsp/cache.js#L81-L117?
I've updated the title to better reflect our question. We are working with certificates from letsencrypt and their ocsp responses expire at fixed points in time, irrespective of when the ocsp request was sent. In order to refresh the response, it is vital to know when it expires. Is there any way to do that currently?
pinging @agentzh Currently, we are just polling the ocsp endpoint. Because of this, there are intervals where we are stapling an outdated response. It'd be great to do this more efficiently.
I'm deducing from the lack of responses that there is currently no way of doing this.
I had a look at the openssl and nginx source code and found a) a function that can extract nextUpdate (openssl) and b) a function to convert that value to time_t (nginx).
@agentzh I'd love some feedback on whether a PR on adding a new method to ocsp would be welcome. There are two different method that could solve our issue:
- get_nextupdate: Would return the
nextupdatetimestamp as seconds since the unix epoch. Calculating its validity would then happen in lua-land. This may have timezone/clock delay issues. - get_nextupdate_validity: Would return the difference between
nextupdateand C-landt_now. This way, lua-land can immediately set a time based on this, or, for negative values, request a new ocsp response.
FWIW we are adding OCSP stapling feature to https://github.com/kubernetes/ingress-nginx and having thisUpdate and nextUpdate attributes exposed on the Lua land would be really useful for deciding cache validity.
I took an alternative stab at this: https://github.com/openresty/lua-resty-core/pull/296