roles/nginx: Enable OCSP stapling

Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5.

Seems to be working, test with:

    $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status

Look for "OCSP Response" with "Cert Status: good".

[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
Alan Orth 2014-12-06 23:21:46 +03:00
parent f23f0713d2
commit 6ccfdb99fa

View File

@ -14,6 +14,11 @@
ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on;
# OCSP stapling...
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4;
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism: