It may appear allowing the site operator to control verification responses would enable a fraudulent site to issue false verification for a revoked certificate. However, the site certificate stapled responses can't be forged if they are signed by the certificate authority (CA), not the server itself (Self Signed Certificates). If the client does not receive a stapled response from the certificate authority (CA), the client will contact the OCSP server on its own. If the client receives an invalid stapled response in any case, the connection to the intended end point will be terminated. The only risk of OCSP stapling is the notification of revocation for a certificate may be delayed until the last-signed OCSP response expires. (Cached on client machine from last visit)
As a result, clients continue to have verifiable assurance from the certificate authority the certificate is presently valid (or was quite recently), but no longer need to individually contact the OCSP server. This means that the brunt of the resource burden is now placed back on the certificate holder. It also means client software no longer needs to disclose users' browsing habits to any third party.
Overall performance is also improved: When the client fetches the OCSP response directly from the CA, it usually involves the lookup of the domain name of the CA's OCSP server from global DNS in order to establish a connection to the OCSP server. When OCSP stapling is used, the certificate status information is delivered to the client through an already established channel, reducing overhead and improving performance - Wikipedia
This will allow for the use of the DHParam and allow us to determine what Elliptical Curves we are going to use in order.
ssl_session_cache shared:SSL:60m; ssl_session_timeout 5m; ssl_session_tickets on; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_ecdh_curve secp521r1:secp384r1:X25519:X448; <-- Add other curves such as secp256k1 and so on ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/EXAMPLE_com_CA.crt resolver 126.96.36.199 188.8.131.52 valid=300s; <-- 184.108.40.206 & 220.127.116.11 are Google DNS servers resolver_timeout 5s;
systemctl restart nginx