OCSP stapling

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
fanto666
Posts: 5
Joined: Thu Jul 26, 2018 1:10 pm

OCSP stapling

Post by fanto666 »

Hello,

since Chrome 68 requires using CT log for all certificates signed after 2018/5/1, and since our cert provider recommends doing it using OCSP stapling, I would like to implement the OCSP stapling to zimbra.

We have Zimbra open source 8.8.7, and nginx is used as proxy, which is good since its version does seem to support stapling, it just must be configured.

That would mean I have to modify nginx templates and regenerate the nginx config (currently, apparently only https is required.

Did anyone implement OCSP stapling yet?

If so, where did you put the "ssl_stapling on" directive and was it enough to support the stapling?

Thanks

[edit: typos]
Last edited by fanto666 on Thu Sep 05, 2019 8:07 am, edited 1 time in total.
fanto666
Posts: 5
Joined: Thu Jul 26, 2018 1:10 pm

Re: OCSP stapling

Post by fanto666 »

OK, I have put

ssl_stapling on;
resolver 127.0.0.1;

into templates/nginx.conf.web.https.default.template
and restarted proxy.
according to https://www.digicert.com/help/ it works properly.
tib
Posts: 8
Joined: Wed Aug 08, 2018 1:54 pm

Re: OCSP stapling

Post by tib »

Hello!

I have do the same, but OCSP stapling don't work.
ssllabs.com says that
OCSP stapling No
and
OCSP Must Staple Supported, OCSP response not stapled
Release 8.8.9.GA.2055.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.9_P4.
Where is problem? Please, help!
Harery
Posts: 4
Joined: Sat Sep 22, 2018 12:51 pm

Re: OCSP stapling

Post by Harery »

i'm facing same problem any update /.
tib
Posts: 8
Joined: Wed Aug 08, 2018 1:54 pm

Re: OCSP stapling

Post by tib »

After updating to 8.8.10

Code: Select all

ssl_stapling on;
resolver 127.0.0.1;

lines was deleted from templates.
I can't find in wiki documentation any references about OCSP Stapling. How to enable it in Zimbra reverse proxy? Zimbra 8.8.10 version have nginx 1.7.1, and it support OCSP Stapling long ago. Is it [bug]bug[/bug] or what?
Admins, moderators, developers, community members and othes, can anybody give any replies?
fanto666
Posts: 5
Joined: Thu Jul 26, 2018 1:10 pm

Re: OCSP stapling

Post by fanto666 »

after upgrading zImbra, we've had to add those lines back again.
Post Reply