[Suggestion] Enable OCSP stapling for the certificate
Published a year ago
# Github Issue
Published a year ago
Michal-Koeckeis-Fresel
Updated a year ago
0
What would you like to be added or improved?
Please add OCSP stapling if it is available in the certificate
OCSP stapling explained on:
https://en.wikipedia.org/wiki/OCSP_stapling
Why is it needed?
With OCSP stappling the client will receive the online version of the certificate revocation list (from the CA) during HTTPS handshake directly from the server.
This improves speed of handshake and security as the client will not look up the revocation information from the root CA but will use the provided OCSP information.
To test the certificate for OCSP use the following openssl command:
openssl x509 -in /path/to/CERTIFICATE.crt -noout -ocsp_uri
Add this to the conf file if OCSP is available:
# OCSP Stapling ENABLED for better security
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 9.9.9.9 valid=300s;
resolver_timeout 5s;