nftables and OCSP stapling

gorek

12/14/23, 3:41 PM

My apache error log shows:

AH01972: could not resolve address of OCSP responder ocsp.usertrust.com

Main reason is my server's nftables blocks any requests to the Internet.

In my opinion web server not should to initiate any connections to the Internet to be as security as possible. But OCSP stapling requires DNS connection and http(s) traffic from server to my CA's servers.

Is it possible to allow only OSCP requests from server instead all http(s) via nftables?

I examined this communication and I found OCSP request is HTTP POST with "Content-Type: application/ocsp-request". Can I use this to filter OSCP request connections?

0 + 0

ocsp

nftables

apache2

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: nftables and OCSP stapling

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.