jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

implement OCSP stapling

Browse Source 
can verify stapling using openssl s_client -connect hostname:443 -status

status_request is RFC6066. there is also status_request_v2 (RFC6961) but this is
not implemented even in openssl libs yet
This commit is contained in:
Girish Ramakrishnan
2021-04-16 11:17:13 -07:00
parent 5d2fd81c0d
commit 4d919127a7
4 changed files with 40 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/nginxconfig.ejs
View File

@@ -84,6 +84,12 @@ server {
ssl_dhparam /home/yellowtent/boxdata/dhparams.pem;
add_header Strict-Transport-Security "max-age=63072000";
<% if ( ocsp ) { -%>
# OCSP. LE certs are generated with must-staple flag so clients can enforce OCSP
ssl_stapling on;
ssl_stapling_verify on;
<% } %>
# https://github.com/twitter/secureheaders
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
# https://wiki.mozilla.org/Security/Guidelines/Web_Security