Free Best Practice Security Guides

Securing NGINX - Debian/Ubuntu

Step 3b - Online Certificate Status Protocol (OCSP) - Mandatory Step!!!

Enable Online Certificate Status Protocol (OCSP) - Certificate Stapling

It may appear allowing the site operator to control verification responses would enable a fraudulent site to issue false verification for a revoked certificate. However, the site certificate stapled responses can't be forged if they are signed by the certificate authority (CA), not the server itself (Self Signed Certificates). If the client does not receive a stapled response from the certificate authority (CA), the client will contact the OCSP server on its own. If the client receives an invalid stapled response in any case, the connection to the intended end point will be terminated. The only risk of OCSP stapling is the notification of revocation for a certificate may be delayed until the last-signed OCSP response expires. (Cached on client machine from last visit)

As a result, clients continue to have verifiable assurance from the certificate authority the certificate is presently valid (or was quite recently), but no longer need to individually contact the OCSP server. This means that the brunt of the resource burden is now placed back on the certificate holder. It also means client software no longer needs to disclose users' browsing habits to any third party.

Overall performance is also improved: When the client fetches the OCSP response directly from the CA, it usually involves the lookup of the domain name of the CA's OCSP server from global DNS in order to establish a connection to the OCSP server. When OCSP stapling is used, the certificate status information is delivered to the client through an already established channel, reducing overhead and improving performance - Wikipedia

Local use of the OCSP for sites using NGINX

nano /etc/nginx/sites-available/EXAMPLE_com_ssl.conf

Add the following blue lines

This will allow for the use of the DHParam and allow us to determine what Elliptical Curves we are going to use in order.

ssl_session_cache shared:SSL:60m;
ssl_session_timeout 5m;
ssl_session_tickets on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ecdh_curve secp521r1:secp384r1:X25519:X448;      <-- Add other curves such as secp256k1 and so on
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/EXAMPLE_com_CA.crt
resolver 8.8.8.8 8.8.4.4 valid=300s;       <-- 8.8.8.8 & 8.8.8.4 are Google DNS servers
resolver_timeout 5s;

Close and exit the file

ctrl + o (Save)
ctrl + x (Exit)

Restart NGINX

systemctl restart nginx

PREVIOUS NEXT