After learning new things about SSL, I have learned about OCSP Stapling which is important to implement on your server. It basically places on your cert a response from your SSL provider saying rather or not the certificate is valid.

Why is this important? If you were to revoke your certificate, like I had to after the HeartBeat bug, you can tell web browsers that the certificate authority has your certificate revoked and they can verify that using the CA signature.

Now while it is not currently possible to require that this is provided for your website, like how you can set HTTP Strict Transport to tell the browser you require that your site is secure, it is important to start implementing it now so when such a flag exists, we could just add that flag and immediately prevent any server that doesn't do stapling from faking our site.

ssl_stapling on;
ssl_trusted_certificate /;#Your SSL provider's certificate with OCSP.
resolver valid=300s;
resolver_timeout 10s;

Note: I had to upgrade to Nginx 1.6 in-order to get stapling to work.

You can test the configuration in 2 ways. SSL Labs shows if stapling is enabled and the following OpenSSL command will show if it's enabled.

openssl s_client -connect -tls1 -tlsextdebug -status

If it shows something like the following, then you are fine.

OCSP Response Data:
OCSP Response Status: successful (0x0)

If you get the following, your server isn't configured properly or your certificate authority doesn't have an OCSP server.

OCSP response: no response sent

Previous Post Next Post