SafeLine icon indicating copy to clipboard operation
SafeLine copied to clipboard

Published 20 hours ago verified publisher icon chaitin

[Suggestion] Enable OCSP stapling for the certificate

Open Michal-Koeckeis-Fresel opened this issue 5 months ago • 0 comments
trafficstars

What would you like to be added or improved?

Please add OCSP stapling if it is available in the certificate

OCSP stapling explained on: https://en.wikipedia.org/wiki/OCSP_stapling

Why is it needed?

With OCSP stappling the client will receive the online version of the certificate revocation list (from the CA) during HTTPS handshake directly from the server.

This improves speed of handshake and security as the client will not look up the revocation information from the root CA but will use the provided OCSP information.

To test the certificate for OCSP use the following openssl command: openssl x509 -in /path/to/CERTIFICATE.crt -noout -ocsp_uri

Add this to the conf file if OCSP is available:

    # OCSP Stapling ENABLED for better security
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 8.8.8.8 9.9.9.9 valid=300s;
    resolver_timeout 5s;

Michal-Koeckeis-Fresel avatar Jun 07 '25 08:06 Michal-Koeckeis-Fresel