ssl_stapling_responder
The 'ssl_stapling_responder' directive configures the URL for OCSP (Online Certificate Status Protocol) stapling response retrieval.
Description
The 'ssl_stapling_responder' directive in NGINX is utilized to specify a URL from which the OCSP stapling responses can be obtained. This directive is essential for optimizing SSL/TLS certificate validation processes, allowing clients to check the revocation status of certificates in a streamlined manner. By defining the responder's URL, NGINX enables fetching OCSP responses efficiently, thus improving the performance of secured connections by reducing the time clients spend on acquiring the status of their certificates through multiple queries to Certificate Authorities (CAs).
In practice, the URL provided by this directive must be a valid OCSP server endpoint. Typically, it is a HTTPS URL as OCSP responses often involve sensitive information regarding the certificate's validity status. The configuration of 'ssl_stapling_responder' should be in the 'http' or 'server' block, and its correct setup can significantly enhance SSL performance, especially in high-traffic web environments. Care must also be taken to ensure that the OCSP responder is properly operational and accessible to avoid service interruptions or increases in connection latency.
Config Example
server {
listen 443 ssl;
ssl_certificate /path/to/certificate.pem;
ssl_certificate_key /path/to/privatekey.pem;
ssl_stapling on;
ssl_stapling_responder https://ocsp.example.com;
}Ensure the URL provided is reachable and correctly configured as an OCSP server.
Using non-HTTPS URLs may expose sensitive data during OCSP response retrieval.
Misconfigured OCSP responders can lead to failures in TLS handshakes.