beenull/power-mailinabox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

OCSP improvements

Browse source 
* Set ssl_stapling_verify to off per https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx ('on' has no security benefits).
* Set resolver to 127.0.0.1, instead of Google Public DNS, because we might as well use our local nameserver anyway.
* Remove the commented line which per the link above would never be necessary anyway.

OCSP seems to work just fine after these changes.
This commit is contained in:
Joshua Tauberer 2015-06-06 23:24:09 +00:00
parent 1990f32ca4
commit 47de93961e
1 changed files with 2 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
conf/nginx-ssl.conf
View file

@ -69,7 +69,6 @@ ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem;
# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. # 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
# nginx will use them to talk to the CA. # nginx will use them to talk to the CA.
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify off;
resolver 8.8.8.8 8.8.4.4 valid=86400; resolver 127.0.0.1 valid=86400;
resolver_timeout 10; resolver_timeout 10;
#ssl_trusted_certificate /path/to/all-certs-in-chain.crt;