ssl_stapling
The ssl_stapling directive enables or disables OCSP (Online Certificate Status Protocol) stapling in NGINX.
Description
The ssl_stapling directive in NGINX is used to control the utilization of OCSP stapling, a mechanism that allows the server to provide clients with a time-stamped OCSP response directly. This eliminates the need for clients to connect to the OCSP responder to verify the status of a certificate, hence improving response times and enhancing privacy. The directive takes a boolean flag as an argument, meaning it can either be set to 'on' to enable OCSP stapling or 'off' to disable it.
When enabled, during the SSL handshake, NGINX retrieves and caches the latest OCSP response from the certificate authority when the certificate is presented. If a cached response is valid, it will include this response in the SSL handshake messages sent to the client. If not, the server will make a request to the OCSP responder to fetch a fresh response. Therefore, it’s crucial to carefully manage your server's caching policy and ensure that the OCSP responses do not become stale. Additionally, the implementation of OCSP stapling is contingent on having a valid SSL certificate that supports it, and it generally requires the configuration of appropriate resolver settings to resolve DNS for OCSP servers.
Config Example
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
ssl_stapling on;
ssl_stapling_verify on;
}Ensure that your SSL certificate supports OCSP stapling; otherwise, enabling this directive can cause handshake failures.
If DNS resolution for the OCSP responder fails, clients may encounter SSL errors despite having a valid certificate.
Caching needs to be monitored; an invalid OCSP response can lead to clients being unable to connect.