From 47de93961e88d3790120caeece0648ed6ab2c44c Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 6 Jun 2015 23:24:09 +0000 Subject: [PATCH] OCSP improvements * Set ssl_stapling_verify to off per https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx ('on' has no security benefits). * Set resolver to 127.0.0.1, instead of Google Public DNS, because we might as well use our local nameserver anyway. * Remove the commented line which per the link above would never be necessary anyway. OCSP seems to work just fine after these changes. --- conf/nginx-ssl.conf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf index 8d1598c..1ce0f0c 100644 --- a/conf/nginx-ssl.conf +++ b/conf/nginx-ssl.conf @@ -69,7 +69,6 @@ ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem; # 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. # nginx will use them to talk to the CA. ssl_stapling on; -ssl_stapling_verify on; -resolver 8.8.8.8 8.8.4.4 valid=86400; +ssl_stapling_verify off; +resolver 127.0.0.1 valid=86400; resolver_timeout 10; -#ssl_trusted_certificate /path/to/all-certs-in-chain.crt;