Enable OCSP stapling on forum?

When using a bad internet connection I frequently get OCSP errors when trying to visit the forum. It seems my phone has trouble contacting the OCSP server of Comodo at such times, or the browser (Icecat) is doing some weird things with caching on an OCSP failure since the error often persists for a while, even when the connection has improved.
As I see it, enabling OCSP stapling would improve the performance in such cases and work around browser issues like these. I am maintaining Linux web servers myself so I know this feature is quite easy to enable in most web servers.

It would be nice if you consider this quick fix for the issues I ocasionally have.

2 Likes

Uhm, sounds Chinese to me, but @anon83519835 surely can give a qualified answer to this. :slight_smile:

1 Like

You only have OCSP errors? Or also with CRL?
And since when is this? I know Comodo had some OCSP and CRL issues starting 15-8-2017 until 17-8-2017.

I have had this frequently with bad internet connections, for some months already. It was always the same OCSP error (if I encounter it again soon I can make a screenshot), I have never seen CRL issues.

1 Like

In addition to improve the browsing experience OSCP stapling would also solve OCSP privacy issues:
https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns

1 Like

Just to clarify: Both OCSP and CRL seem to work fine. But according to https://www.ssllabs.com/ssltest/analyze.html?d=forum.fairphone.com OCSP stapling is currently not enabled, meaning your nginx does not include a recent OCSP statement in the SSL negotiation but the browser has to get it from Comodo.

I think even if there are no OCSP errors it makes sense to enable OCSP stapling. This will save traffic, make the forum a bit more independent from Comodo problems and solve the privacy issues mentioned by @_Chris.

Following cipherli.st you only have to add this to your config:

ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
2 Likes

Yes in a normal nginx config these lines would be do the trick. But we are running a different kind of setup. I need to check if I can set this up. If so I will let you all know.

1 Like

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.