OCSP improvements

* Set ssl_stapling_verify to off per https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx ('on' has no security benefits). * Set resolver to 127.0.0.1, instead of Google Public DNS, because we might as well use our local nameserver anyway. * Remove the commented line which per the link above would never be necessary anyway. OCSP seems to work just fine after these changes.

OCSP improvements
* Set ssl_stapling_verify to off per https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx ('on' has no security benefits). * Set resolver to 127.0.0.1, instead of Google Public DNS, because we might as well use our local nameserver anyway. * Remove the commented line which per the link above would never be necessary anyway. OCSP seems to work just fine after these changes.
47de9396 · Joshua Tauberer · 1990f32c · 47de9396
Commit 47de9396 authored Jun 06, 2015 by Joshua Tauberer
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 3 deletions

nginx-ssl.conf conf/nginx-ssl.conf +2 -3

No files found.
--- a/conf/nginx-ssl.conf
+++ b/conf/nginx-ssl.conf
@@ -69,7 +69,6 @@ ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem;
 # 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. 
 # nginx will use them to talk to the CA.
 ssl_stapling on;
-ssl_stapling_verify on;
-resolver 8.8.8.8 8.8.4.4 valid=86400;
+ssl_stapling_verify off;
+resolver 127.0.0.1 valid=86400;
 resolver_timeout 10;
-#ssl_trusted_certificate /path/to/all-certs-in-chain.crt;