Feature request: SSL OCSP stapling option

[ahoogerheide]

I would love to see an option for OCSP stapling in DirectAdmin (when the installed webserver supports this).

OCSP stapling provides revokation information for an SSL-certificate directly in the server response. This improves client performance because the client does niet have to check revocation information itself (possibly recursively). Furthermore it improves client privacy somewhat because the client does not have to make requests to the CA.

OCSP stapling is supported on
- Apache HTTP Server (>=2.3.3)
- Nginx (>=1.3.7)

http://en.wikipedia.org/wiki/OCSP_stapling
https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx

It can use the information provided by the server administrator in the file /usr/local/directadmin/data/users/domains/[domain].cacert
I believe it only requires a change in the users httpd.conf template. But haven't tested this myself. I am not sure how the templates for nginx look in directadmin.

 

[interfasys]

I support this request, although there are some caveats since only ONE cert can be checked at a time, so it won't be really useful until this is implemented https://www.rfc-editor.org/info/rfc6961.

CB could add a new function which simply adds this to httpd-ssl.conf for Apache and I'm sure it's as easy for NGINX

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache "shmcb:/var/log/httpd/stapling_cache(128000)"

 

[interfasys]

For NGINX

ssl_stapling on;
ssl_stapling_verify on;

 

[stefantriep]

So I guess on a server with 1 SSL-certificate there's no need to wait for RFC 6961? Or is it only one request a time for OCSP Stapeling?

Anyone got OCSP Stapeling for Apache implemented as above?