mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-26 02:57:04 +00:00
OCSP improvements
* Set ssl_stapling_verify to off per https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx ('on' has no security benefits). * Set resolver to 127.0.0.1, instead of Google Public DNS, because we might as well use our local nameserver anyway. * Remove the commented line which per the link above would never be necessary anyway. OCSP seems to work just fine after these changes.
This commit is contained in:
parent
1990f32ca4
commit
47de93961e
@ -69,7 +69,6 @@ ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem;
|
|||||||
# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
|
# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
|
||||||
# nginx will use them to talk to the CA.
|
# nginx will use them to talk to the CA.
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify off;
|
||||||
resolver 8.8.8.8 8.8.4.4 valid=86400;
|
resolver 127.0.0.1 valid=86400;
|
||||||
resolver_timeout 10;
|
resolver_timeout 10;
|
||||||
#ssl_trusted_certificate /path/to/all-certs-in-chain.crt;
|
|
||||||
|
Loading…
Reference in New Issue
Block a user