Security/Server Side TLS: Difference between revisions

Jump to navigation Jump to search

Security/Server Side TLS (view source)

Revision as of 17:57, 14 October 2013

1,101 bytes removed ,  14 October 2013
→‎ssl_stapling
Line 589: Line 589:
==== ssl_stapling ====
==== ssl_stapling ====


When connecting to a server, clients should verify the validity of the server certificate using either a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) record. The problem with CRL is that the lists have grown huge and take forever to download. OCSP is much more lightweight, as only one record is retrieved at a time. But the side effect is that OCSP requests must be made to a 3rd party OCSP responder when connecting to a server.
This directive enables OCSP stapling.
 
The solution is to allow the server to send the OCSP record during the TLS handshake, therefore bypassing the OCSP responder. This mechanism saves a roundtrip between the client and the OCSP responder, and is called OCSP Stapling.
 
Nginx supports OCSP stapling in two modes. The OCSP file can be downloaded and made available to nginx, or nginx itself can retrieve the OCSP record and cache it. We use the second mode in the configuration below.
 
The location of the OCSP responder is taken from the Authority Information Access field of the signed certificate:
<pre>
Authority Information Access:
      OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
</pre>


==== ssl_stapling_verify ====
==== ssl_stapling_verify ====
Ulfr
Confirmed users
529

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/728723"

Navigation menu