[cabfpub] Fwd: Re: [cabfrev] Must Staple Draft

Rick Andrews Rick_Andrews at symantec.com
Wed Oct 3 16:59:53 UTC 2012


> What happens in those cases where a server that does support stapling
> happens to not staple its response?
> 
> Will the very first nginx SSL handshake for each nginx worker get
> rejected for the unlucky client who tries visiting the site?  An nginx
> server with 16 worker processes will give out 16 SSL handshakes without
> a staple for each SSL certificate configured.

Given the current position of browser vendors to not favor requirements, I would say nothing would happen to those first nginx clients; they would proceed to their site without error or warning. The best we can hope for is that 'mustStaple' can be used by tools like SSLLabs or the SSL Observatory to point out non-conformance, and directly or indirectly get the web site owner to fix their configuration.

-Rick



More information about the Public mailing list