1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-26 02:57:04 +00:00

OCSP improvements

* Set ssl_stapling_verify to off per https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx ('on' has no security benefits).
* Set resolver to 127.0.0.1, instead of Google Public DNS, because we might as well use our local nameserver anyway.
* Remove the commented line which per the link above would never be necessary anyway.

OCSP seems to work just fine after these changes.
This commit is contained in:
Joshua Tauberer 2015-06-06 23:24:09 +00:00
parent 1990f32ca4
commit 47de93961e

View File

@ -69,7 +69,6 @@ ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem;
# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. # 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
# nginx will use them to talk to the CA. # nginx will use them to talk to the CA.
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify off;
resolver 8.8.8.8 8.8.4.4 valid=86400; resolver 127.0.0.1 valid=86400;
resolver_timeout 10; resolver_timeout 10;
#ssl_trusted_certificate /path/to/all-certs-in-chain.crt;