From 080a5157e6b1de3637e339a7cf54105f0316cfa7 Mon Sep 17 00:00:00 2001 From: Jason Wilder Date: Wed, 3 Dec 2014 11:06:11 -0700 Subject: [PATCH] Remove OCSP stapling Looks like it was not actually working before and failing silently because ssl_trusted_certificate was not specified. Will need to revisit implementing this functionality so removing it for now to prevent the warnings logged by nginx now. --- README.md | 2 +- nginx.tmpl | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 6a27951..e520322 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ and `CERT_NAME=shared` will then use this shared cert. The SSL cipher configuration is based on [mozilla nginx intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) which should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, -Windows XP IE8, Android 2.3, Java 7. The configuration also enables OCSP stapling, HSTS, and SSL +Windows XP IE8, Android 2.3, Java 7. The configuration also enables HSTS, and SSL session caches. The behavior for the proxy when port 80 and 443 are exposed is as follows: diff --git a/nginx.tmpl b/nginx.tmpl index 3de1843..3aa28f4 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -96,8 +96,6 @@ server { ssl_prefer_server_ciphers on; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; - ssl_stapling on; - ssl_stapling_verify on; ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};