Directive Reference

ssl_stapling_verify

The `ssl_stapling_verify` directive enables verification of OCSP (Online Certificate Status Protocol) responses for SSL/TLS connections.

NGINX HTTP Core · httpserver
Syntaxssl_stapling_verify on | off;
Defaultoff
Contexthttp, server
Argumentsflag

Description

The ssl_stapling_verify directive is crucial for ensuring the integrity and validity of SSL certificates by empowering NGINX to verify the OCSP responses received from the OCSP server during the SSL handshake process. When enabled, this directive instructs NGINX to perform an additional check that ensures the OCSP responses are indeed valid and have not been revoked.

Config Example

server {
    ssl_certificate     /path/to/certificate.crt;
    ssl_certificate_key /path/to/key.key;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8;  # DNS resolution for OCSP server
}

Make sure that the resolver is correctly configured; otherwise, OCSP checks may fail due to inability to resolve the OCSP server address.

If the OCSP server is unreachable, clients may experience delays or connection errors due to the blocked requests for verification.

Related Directives

ssl_staplingresolverssl_certificatessl_certificate_key
← Back to all directives