security/hakurei.app
5
1
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 4 Wiki Activity

handle Let's Encrypt removing OCSP support

Browse Source 
We can no longer use OCSP stapling and Must-Staple. These will soon be
obsolete once the `shortlived` profile is available for public use since
it will provide certificates with a similar lifetime as OCSP responses.

In the meantime, we've moved to the `tlsserver` profile stripping legacy
features to prepare for the `shortlived` profile which will be identical
to `tlsserver` but with a validity period of 6 days.
This commit is contained in:
Daniel Micay
2025-05-04 21:57:41 -04:00
parent c57490de09
commit 298c357bc9
3 changed files with 0 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
nginx/nginx.conf
View File

@@ -66,11 +66,6 @@ http {
ssl_session_timeout 1d;
ssl_buffer_size 4k;
ssl_trusted_certificate /etc/letsencrypt/live/grapheneos.org/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_file /var/cache/certbot-ocsp-fetcher/grapheneos.org.der;
log_format main '$connection-$connection_requests $remote_addr $remote_user $ssl_session_reused $ssl_protocol $server_protocol '
'$host $request_method "$request_uri" $status $request_length $body_bytes_sent/$bytes_sent '
'$request_time $upstream_connect_time/$upstream_header_time/$upstream_response_time '