How to use ssl_stapling_file in nginx?

[psychofaktory]

Hello,

I encountered this problem with my setup (OPNsense 23.7.10).

here it is described that for troubleshooting ssl_stapling_file can be used.

How can I use ssl_stapling_file?

[Fright]

hi
rather not for troubleshooting but as an alternative.

This method will require a staple-file update script, do you have one? )

[psychofaktory]

I haven't got anything yet.
However, I have found these instructions here:
https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/

But I don't know how this could be implemented in OPNsense.

[Fright]

The link simply shows an example of getting a ocsp-response using openssl. There is no lifetime check, nor the slightest semblance of error handling. doesn't seem like a working solution.

[psychofaktory]

OK. I wasn't aware of that.

What would be needed for a functioning solution?

[Fright]

Hi
sorry fo delay.
sorry again but i think its a really "advanced" feature for those who knows what they doing.

the correct solution in my opinion should include: checking the current server response; downloading the response file, checking it (with different reactions to a download error, invalid file or certificate revocation), taking into account the date of the nextUpdate, HUPping nginx if the file is updated.
An alternative could be to warm up the servers a bit after nginx start..
I guess i just don't understand some of the noise around Must Staple certs. I don't see any advantages in using them (the argument that an attacker can disrupt the connection between the client and the response server does not completely convince me)

[psychofaktory]

Thank you for your assessment.
I see from this that it should obviously not be done with a small adjustment to the configuration.
That actually sounds very advanced to me.

What should be done to warm up the servers after the nginx start?

I had originally activated the function to have maximum security.
So would you recommend deactivating ocsp must staple instead?