优化SSL配置:为web server添加OCSP Stapling

1 什么是OCSP Stapling?

https://en.m.wikipedia.org/wiki/OCSP_stapling

2 apache配置

在httpd.conf添加代码块

<IfModule ssl_module>
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off                                                                                 
    SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
</IfModule>


下面是标准设置,上面是可用设置
<IfModule mod_ssl.c>
    SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
    <VirtualHost  *:443>

            ServerAdmin webmaster@localhost
            ServerName example.com
            DocumentRoot /var/www

            SSLEngine on

            SSLCertificateFile /etc/apache2/ssl/example.com/apache.crt
            SSLCertificateKeyFile /etc/apache2/ssl/example.com/apache.key

            SSLCACertificateFile /etc/ssl/ca-certs.pem
            SSLUseStapling on
    </VirtualHost>
</IfModule>
 

2为nginx配置

在server段添加

server {

        listen   443;
        server_name example.org;

        root /usr/share/nginx/www;
        index index.html index.htm;

        ssl on;
        ssl_certificate /etc/nginx/ssl/example.org/server.crt;
        ssl_certificate_key /etc/nginx/ssl/example.org/server.key;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
}

注意WEB server 版本:

- Apache 2.3.3 and later

- NginX 1.3.7 and later

- Lighttpd 1.4.x

参考资料: 来自上面的维基百科引用列表

此处评论已关闭