OCSP (The Online Certificate Status Protocol) Stapling and Session Cache

Only applicable to MetaDefender Core version 4.19.0 or above.

1.) Modify “ssl.conf” file (create new if not existed)

  • On Windows, under <Installation Directory>\nginx\

  • On Linux, under /etc/ometascan/nginx.d/

Modify ssl.conf file with following recommended settings

# Enable OCSP stapling, optimize session cache
ssl_ecdh_curve secp384r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# replace with the IP address of your resolver

2.) A restart of the “OPSWAT Metadefender Core” service is required.