From 47de93961e88d3790120caeece0648ed6ab2c44c Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 6 Jun 2015 23:24:09 +0000
Subject: [PATCH] OCSP improvements

* Set ssl_stapling_verify to off per https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx ('on' has no security benefits).
* Set resolver to 127.0.0.1, instead of Google Public DNS, because we might as well use our local nameserver anyway.
* Remove the commented line which per the link above would never be necessary anyway.

OCSP seems to work just fine after these changes.
---
 conf/nginx-ssl.conf | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf
index 8d1598cb..1ce0f0c3 100644
--- a/conf/nginx-ssl.conf
+++ b/conf/nginx-ssl.conf
@@ -69,7 +69,6 @@ ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem;
 # 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. 
 # nginx will use them to talk to the CA.
 ssl_stapling on;
-ssl_stapling_verify on;
-resolver 8.8.8.8 8.8.4.4 valid=86400;
+ssl_stapling_verify off;
+resolver 127.0.0.1 valid=86400;
 resolver_timeout 10;
-#ssl_trusted_certificate /path/to/all-certs-in-chain.crt;