ssl_stapling_file
The `ssl_stapling_file` directive specifies the filename of the OCSP response file to be used for SSL stapling.
Description
The ssl_stapling_file directive in NGINX serves as a means to enable OCSP (Online Certificate Status Protocol) stapling by providing a specific file that contains the OCSP response. This directive can be placed within the http or server contexts, allowing it to dictate the behavior for all virtual servers or specific servers as defined by the configuration. By supplying the OCSP response file, NGINX is able to attach this response to TLS handshakes, improving the performance of SSL connections by reducing the number of online checks that need to be performed.
The parameter for the ssl_stapling_file directive is a single argument, which is the path to the file containing the serialized OCSP response data. This file should be generated by the CA (Certificate Authority) or another trusted intermediary and should be updated regularly, as OCSP responses typically have a validity period. It is important to ensure that the OCSP response is kept up-to-date to ensure that clients can effectively validate certificate status during TLS sessions. If the file path is incorrect or the contents are invalid, NGINX will log an error message and disable OCSP stapling for that server.
Config Example
server {
listen 443 ssl;
ssl_certificate /path/to/certificate.pem;
ssl_certificate_key /path/to/key.pem;
ssl_stapling on;
ssl_stapling_file /path/to/ocsp_response.der;
}Ensure the OCSP response file is regularly updated; outdated responses can cause clients to reject the connection.
The file must have the correct permissions for NGINX to read it; otherwise, NGINX will fail to load the OCSP data and disable stapling.
Make sure the response file is properly formatted as per the OCSP specification. Incorrect format can lead to parsing errors.