From 6ccfdb99fa316f88c7e3e3278915e2e0c7e3b187 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Sat, 6 Dec 2014 23:21:46 +0300 Subject: [PATCH] roles/nginx: Enable OCSP stapling Reduces round trip time for clients. Note: I am using a certificate chain in the `ssl_certificate' directive, so as I understand it, I don't need to use an explicit trusted intermediate + root CA cert with the `ssl_trusted_certificate' option. See the nginx docs for more[0]. Addresses GitHub Issue #5. Seems to be working, test with: $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status Look for "OCSP Response" with "Cert Status: good". [0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Signed-off-by: Alan Orth --- roles/nginx/templates/https.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2 index a7f2745..525f6c4 100644 --- a/roles/nginx/templates/https.j2 +++ b/roles/nginx/templates/https.j2 @@ -14,6 +14,11 @@ ssl_ciphers "{{ tls_cipher_suite }}"; ssl_prefer_server_ciphers on; + # OCSP stapling... + ssl_stapling on; + ssl_stapling_verify on; + resolver 8.8.4.4; + # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and # when a restart is performed the previous key is lost, which resets all previous # sessions. The fix for this is to setup a manual rotation mechanism: