LE has announced an Intent to end OCSP service in favor of using CRLs. I read their article on CRLs and they’re vendoring the bloom filters through browser providers (they mention FIrefox and Chrome shipping CRLs within the auto-update mechanism).
Since I use ACME certifcates, I looked at my nginx configuration and saw that I have stapling enabled via services.nginx.recommendedTlsSettings, which adds these two relevant config options:
TLS still works with recommendedTlsSettings disabled, but leaving it off means I lose the rest of the recommended configuration attributes. I looked for a way to add them back, but something like httpConfig.extraParameters doesn’t exist yet so I haven’t quite figured that out.
As far as enabling CRLs, it looks like the relevant nginx parameter is ssl_crl, and it’s useful to set ssl_verify_client optional_no_ca. I’ve also failed to figure out how to configure those options using services.nginx for the same reason.
I might be wrong, but basically as far as I can tell, it isn’t possible to do what ACME LE wants us to do yet using services.nginx. It’s obviously not urgent to make such a change yet, but wanted to write about my experience here in case anyone had advice on this topic.
Not sure what you mean by “pure nix”, but nix is a build system and arbitrary strings can be generated as part of a build. I see no reason why nix would fail to create a string.
On the other hand, if the service is shutdown, what does nginx do? It won’t break, does it? We can probably make remove the oscp stapling conditional based on the used cacert.
nginx’s OCSP stapling implementation is quite bad and probably shouldn’t be relied on. So if anything the server‐side configuration will become simpler and more robust with these changes. If you request a Must-Staple certificate then you’ll want to stop doing that once this change goes through, but they’re announcing it well in advance so I wouldn’t panic just yet.
You only need to care about CRLs if your web server is making outgoing TLS requests to servers with Let’s Encrypt certificates that it wants to do full certificate validation and revocation checking for. This is relatively rare, since usually even when nginx is making HTTP requests you’d just be doing reverse proxying to a local service or whatever. But, yes, if you really are doing that (and you have a robust enough setup for it to matter now, e.g. OCSP that doesn’t fail open) then things will get more complicated after this change.
My understanding is that Mozilla fired the team maintaining their recommended security configurations. (Yes, this means we probably shouldn’t be uncritically copying them at this point.)