Home / How should I configure OCSP Stapling in NGINX

How should I configure OCSP Stapling in NGINX

oscp stapling

OCSP is a feature that helps clients avoid exposing request information to OCSP servers and reduces the performance cost of OCSP validation by clients.

The TLS Certificate Status Request extension is a standard for checking the revocation status of X.509 digital certificates. It is formally known as the Online Certificate Status Protocol (OCSP) stapling.

It allows the certificate presenter to bear the resource cost of providing Online Certificate Status Protocol (OCSP) responses by appending (“stapling”) a time-stamped OCSP response signed by the CA to the initial TLS handshake, removing the need for clients to contact the CA and improving both security and performance.

Example Configuration

server {
listen 443 ssl;

ssl_certificate /path/cert.pem;
ssl_certificate_key /path/key.pem;

ssl_stapling on;
ssl_trusted_certificate /path/ca.pem;

resolver 8.8.4.4;
}

More information about the directives can be found in the document below.

http://nginx.org/en/docs/http/ngx_http_ssl_module.html

Limitations

A stapled answer will not be transmitted in a first connection unless an externally set OCSP response is used (through the “ssl stapling file” directive). This is related to the fact that nginx presently queries OCSP responders once it receives a connection with the certificate status extension in ClientHello and OpenSSL API constraints (certificate status callback is blocking).

OCSP answers that have been cached are currently kept in local process memory (thus each worker process will query OCSP responders independently). This shouldn’t be an issue because the typical number of worker processes is low, and they’re usually set to match the number of CPUs.

Leave a Reply