Skip to content
This repository has been archived by the owner on Jul 11, 2020. It is now read-only.

Enable OCSP stapling on the balancer #33

Closed
wants to merge 1 commit into from
Closed

Enable OCSP stapling on the balancer #33

wants to merge 1 commit into from
+5 −0

Conversation

nateberkopec
Copy link

Caveat: I'm not sure if outbound connections to the OCSPs are currently allowed or blocked by a firewall or something. I believe it can be checked by seeing if the following one-liner emits some OCSP urls:

OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect google.com:443 -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -ocsp_uri; done; IFS=$OLDIFS

(one liner from here)

@nateberkopec
Enable OCSP stapling on the balancer
618fc2d 
OCSP stapling should decrease SSL negotiation times by eliminating a roundtrip.

For more about OCSP stapling: https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling

We do not need to add an ssl_trusted_certificate line here because rubygems.org's
certificate contains intermediate certs.
@bai
Copy link
Member

bai commented Oct 20, 2015

Does our ssl_certificate include root cert? If not, we need to add ssl_trusted_certificate too.

@nateberkopec
Copy link
Author

Oh yeah, you're right. That seems weird to me, since the client just uses its own root anyway, but everything I can find online says you're right.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nateberkopec @bai