3.2.3.3.2 OCSP (The Online Certificate Status Protocol) Stapling and Session Cache
Only applicable to MetaDefender Core version 4.19.0 or above.
1.) Modify “ssl.conf” file (create new if not existed)
-
On Windows, under <Installation Directory>\nginx\
-
On Linux, under /etc/ometascan/nginx.d/
Modify ssl.conf file with following recommended settings
# Enable OCSP stapling, optimize session cache
ssl_ecdh_curve secp384r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# replace with the IP address of your resolver
resolver
127.0
.
0.1
;
2.) A restart of the “OPSWAT Metadefender Core” service is required.