# ----------------------------------------------------------------------
# | Online Certificate Status Protocol stapling                        |
# ----------------------------------------------------------------------

# OCSP is a lightweight, only one record to help clients verify the
# validity of the server certificate.
# OCSP stapling allow the server to send its cached OCSP record during
# the TLS handshake, whithout the need of 3rd party OCSP responder.
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
# https://tools.ietf.org/html/rfc6066#section-8
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 216.146.35.35 216.146.36.36 valid=60s;
resolver_timeout 2s;