SSL OCSP Stapling With Nginx


OCSP stapling can significantly reduce the overhead and latency of running SSL. We enable OCSP stapling on all of our nginx instances at Commando.io.

OCSP stapling, formally known as the TLS Certificate Status Request extension, is an alternative approach to the Online Certificate Status Protocol (OCSP) for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing OCSP responses, instead of the issuing Certificate Authority (CA). — Wikipedia

It is actually quite trivial to setup in nginx with a few directives.

http {
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
}

You must specify a DNS resolver, since nginx makes external http requests. We use Google Public DNS, but OpenDNS, or your hosting providers DNS should all work just fine. We also set a 5 minute time to live cache period and a 10 second resolver timeout.

You'll need to also provide the SSL trusted certificate. We have a wildcard SSL certificate from GoDaddy, so the content of stapling.trusted.crt is simply:

https://gist.github.com/nodesocket/89c2695dbadd17243cf4

Finally, you may verify that OSCP stapling is enabled with SSL Labs. Here is our report for Commando.io.

https://www.ssllabs.com/ssltest/analyze.html?d=commando.io.

Show your support

Clapping shows how much you appreciated Commando.io’s story.