3.2.3.3.2 OSCP Stapling and Session Cache

Only applicable to MetaDefender Core version 4.19.0 or above.

1.) Modify “ssl.conf” file (create new if not existed)

  • On Windows, under <Installation Directory>\nginx\

  • On Linux, under /etc/ometascan/nginx.d/

Modify ssl.conf file with following recommended settings

# Enable OCSP stapling, Optimize session cache
ssl_ecdh_curve secp384r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
 
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
 
# replace with the IP address of your resolver
resolver 127.0.0.1;

2.) A restart of the “OPSWAT Metadefender Core” service is required.