Hello,
since Chrome 68 requires using CT log for all certificates signed after 2018/5/1, and since our cert provider recommends doing it using OCSP stapling, I would like to implement the OCSP stapling to zimbra.
We have Zimbra open source 8.8.7, and nginx is used as proxy, which is good since its version does seem to support stapling, it just must be configured.
That would mean I have to modify nginx templates and regenerate the nginx config (currently, apparently only https is required.
Did anyone implement OCSP stapling yet?
If so, where did you put the "ssl_stapling on" directive and was it enough to support the stapling?
Thanks
[edit: typos]
OCSP stapling
OCSP stapling
Last edited by fanto666 on Thu Sep 05, 2019 8:07 am, edited 1 time in total.
Re: OCSP stapling
OK, I have put
ssl_stapling on;
resolver 127.0.0.1;
into templates/nginx.conf.web.https.default.template
and restarted proxy.
according to https://www.digicert.com/help/ it works properly.
ssl_stapling on;
resolver 127.0.0.1;
into templates/nginx.conf.web.https.default.template
and restarted proxy.
according to https://www.digicert.com/help/ it works properly.
Re: OCSP stapling
Hello!
I have do the same, but OCSP stapling don't work.
ssllabs.com says that
Where is problem? Please, help!
I have do the same, but OCSP stapling don't work.
ssllabs.com says that
andOCSP stapling No
Release 8.8.9.GA.2055.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.9_P4.OCSP Must Staple Supported, OCSP response not stapled
Where is problem? Please, help!
Re: OCSP stapling
i'm facing same problem any update /.
Re: OCSP stapling
After updating to 8.8.10
lines was deleted from templates.
I can't find in wiki documentation any references about OCSP Stapling. How to enable it in Zimbra reverse proxy? Zimbra 8.8.10 version have nginx 1.7.1, and it support OCSP Stapling long ago. Is it [bug]bug[/bug] or what?
Admins, moderators, developers, community members and othes, can anybody give any replies?
Code: Select all
ssl_stapling on;
resolver 127.0.0.1;
lines was deleted from templates.
I can't find in wiki documentation any references about OCSP Stapling. How to enable it in Zimbra reverse proxy? Zimbra 8.8.10 version have nginx 1.7.1, and it support OCSP Stapling long ago. Is it [bug]bug[/bug] or what?
Admins, moderators, developers, community members and othes, can anybody give any replies?
Re: OCSP stapling
after upgrading zImbra, we've had to add those lines back again.