ssl_ocsp
The `ssl_ocsp` directive enables or disables the Online Certificate Status Protocol check for SSL/TLS connections in NGINX.
Description
The ssl_ocsp directive is used to specify whether the Online Certificate Status Protocol (OCSP) is enabled for SSL/TLS certificates in NGINX. When OCSP is enabled, NGINX queries the certificate authority (CA) to verify the revocation status of the SSL certificate presented by the client, enhancing security by ensuring that only valid client certificates are accepted. The directive is effective at both the http and server contexts within the NGINX configuration.
When you enable this directive, NGINX will attempt to check the status of certificates during the SSL handshake process. This checking can be crucial to detect whether a TLS certificate has been revoked. If a certificate is found to be revoked, the connection can be appropriately terminated based on the server's configuration settings. However, it is essential to implement this feature carefully, as relying on external OCSP servers can introduce latency or cause failures in your site’s SSL performance if those servers are unavailable. Additionally, it is implied that a valid OCSP responder URL should be provided when setting up the certificates.
The directive accepts just one argument, which indicates whether to enable or disable the OCSP check. The directive can be particularly significant for applications requiring high security, as it can help prevent the use of compromised certificates in effectively managing the SSL state of client connections.
Config Example
server {
listen 443 ssl;
ssl_certificate /path/to/certificate.pem;
ssl_certificate_key /path/to/private.key;
ssl_ocsp on;
}Ensure that the OCSP responder URL is correctly configured and reachable; otherwise, SSL handshakes may fail.
Remember to monitor OCSP response times to avoid impacting user experience due to delays.
Consider the implications of enabling OCSP on high-load servers, as frequent network requests to OCSP servers may incur performance overhead.