Nginx OCSP stapling configuration, nginxocspstapling
Nginx OCSP stapling configuration. Correct OCSP stapling configuration can improve HTTPS performance.
What is OCSP stapling?
OCSP stands for Online Certificate Status Protocol, that isOnline Certificate Status Protocol. As
(ephemeral).
Because of the forward secrecy, even if an attacker holds the private key of the server, it is not possible to decrypt past sessions. The private key is used only to sign a DH (diffie-hellman) handshake, and it does not disclose the secondary master key. Diffie-hellman ensures that the secondary master key does not leave the client and server and is not intercepted by the middleman.
1.4.4 all Nginx versions rely on OpenSSL when entering parameters to Diffiel-hellman. Unfortunatel
, the operator is familiar with PKI, X509, can also make a standard certificate)
About OpenCA:OpenCA is an open source project for building a private PKI. The author Caishuxueqian, has not studied this, hoped that has the relatively clear reader to inform how to apply to the Remote Desktop server authentication. ^-^Difficulties:
The client needs to check the certificate revocation status when connecting to the server Remote Desktop. There are two ways to check certificate revocatio
the module in Openresty ssl_session_fetch_by_lua_block . See Https://github.com/openresty/lua-nginx-module#ssl_session_store_by_lua_file for details.rational Use of 2.3 Ocsp staplingThe OCSP (online Certificate status Protocol, on-line Certificate Status protocol) is used to query revocation information for a certificate. OCSP real-time queries increase the clie
The main file types and protocols for certificates are: PEM, DER, PFX, JKS, KDB, CER, Key, CSR, CRT, CRL, OCSP, SCEP, etc.
Pem–openssl uses the PEM (privacy enhanced Mail) format to hold various information, which is the default way of storing information in OpenSSL. The PEM file in Openssl generally contains the following information: Content type: Indicates what information is stored in this file, which is in the form of "——-BEGIN xxxx--" and corres
Domain
1. "certificate chain" in domainrequest"Is sent unless certificate caching is indicated in the RI context with this Ri ".
2. "peer key identifier" in join domainrequestMust send "if, and only if, it has stored the ri pk corresponding to the stored Ri ID as specified in 5.4.2.4.1 ".
3. "No OCSP Response" in join domainrequestMust send "if, and only if, it has a complete set of valid OCSP responses for
RO confirm
1. "certificate chain" inRorequest"Is sent unless it is indicated in the RI context that this Ri has stored necessary device Certificate Information ".
2. "peer key identifier" inRorequestMust send "if, and only if, it has stored the RI public key corresponding to the stored Ri ID" specified in 5.4.2.4.1.
3. "No OCSP Response" inRorequestMust send "if, and only if, it has a complete set of valid O
The online revocation service is a new component introduced in Windows Server 2008. Is the Microsoft deployment of the OCSP protocol. This feature, coupled with the new OCSP answering service, is a big boost compared to CRL based revocation. The client's OCSP client has been redesigned for the schema, plus an OCSP resp
content.The disadvantage of Session ticket:1. Session ticket is only an extended feature of the TLS protocol, the current support rate is not very wide, only about 60%.2. Session ticket need to maintain a global key to decrypt, need to consider key security and deployment efficiency.
Generally speaking, the function of session ticket is obviously superior to session cache. The client implementation is preferred to support session ticket.
2.4 OCSP sta
protocol, the current support rate is not very wide, only about 60%.2. Session ticket need to maintain a global key to decrypt, need to consider key security and deployment efficiency.Generally speaking, the function of session ticket is obviously superior to session cache. The client implementation is preferred to support session ticket.2.4 OCSP staplingThe OCSP full name online certificate status Check P
cannot load the certificate, reported the following error:
Unable to load certificate is
not a certificate, try it with the following command, because Der may also be a CSR converted file:
OpenSSL Req-inform der-outform pem-in./customer.der-out./CUSTOMER.CSR
Xi. The key is removed from the encryption (so that time does not need to enter the password manually)
OpenSSL rsa-in customerprivatekey.pem-out./customerprivatekey_unenrypted.pem
12. Synthetic Certificate and key
Cat./customerprivatekey_
process 302 redirection.
3. Three-way handshake to re-establish the TCP connection. The time consumed is one RTT.
A) After 302 is redirected to the HTTPS server, because the port is different from the server, you need to complete three new handshakes to establish a TCP connection.
4. TLS full handshake Phase 1. At least one RTT is consumed.
A) At this stage, the cipher suite negotiation and certificate identity authentication are completed.
B) the server and the browser negotiate the same key e
.4, TLS full handshake phase one. Time consuming at least one RTT.A) This phase is primarily the completion of cryptographic suite negotiation and certification of authentication.b) The server and browser will negotiate the same key exchange algorithm, symmetric encryption algorithm, content consistency check algorithm, certificate signature algorithm, Elliptic curve (non-ECC algorithm does not need) and so on.c) The validity of the certificate required by the browser after obtaining it, such as
HTTPS.b) Browser processing 302 jump also takes time.3. Three-time handshake to reestablish the TCP connection. Time consuming a RTT.A) 302 after jumping to the HTTPS server, due to different ports and servers, a three-time handshake is required to establish a TCP connection.4. TLS full handshake phase one. Time consuming at least one RTT.A) This phase is primarily the completion of cryptographic suite negotiation and certification of authentication.b) The server and browser will negotiate the
certification of authentication.b) The server and browser will negotiate the same key exchange algorithm, symmetric encryption algorithm, content consistency check algorithm, certificate signature algorithm, Elliptic curve (non-ECC algorithm does not need) and so on.c) The validity of the certificate required by the browser after obtaining it, such as whether it has expired or revoked.5, resolves the DNS for the CA site. Time consuming a RTT.A) After the browser obtains the certificate, it may
different ports and servers, a three-time handshake is required to establish a TCP connection.4, TLS full handshake phase one. Time consuming at least one RTT.A) This phase is primarily the completion of cryptographic suite negotiation and certification of authentication.b) The server and browser will negotiate the same key exchange algorithm, symmetric encryption algorithm, content consistency check algorithm, certificate signature algorithm, Elliptic curve (non-ECC algorithm does not need) an
Https://github.com/Findow-team/Blog/issues/11?utm_source=tuicoolutm_medium=referral2017 front-end Performance tuning checklistHave you started using progressive start? Have you already used tree-shaking and code-splitting two tools in react and angular? Have you used compression techniques such as Brotli, Zofli, and Hpack, or the OCSP Protocol (online Certificate status protocol)? Do you know about resource reminders, client reminders, and CSS contain
the user with a certificate verification service, the PKI system.The basic principle is that the CA is responsible for auditing the information, then "signing" the key information with the private key, exposing the corresponding public key, and the client can use the public key to verify the signature. CAS can also revoke certificates that have already been issued, including two types of CRL files and OCSP in the basic way. The specific process for C
$ fastcgi_script_name;}Access_log/data/logs/nginx/access. log access;Error_log/data/logs/nginx/error. log crit;}
Ssl optimization is provided. You can use it based on your business. You do not need to configure it all. Generally, you can configure the red part.
Ssl on;Ssl_certificate/usr/local/https/www.localhost.com. crt;Ssl_certificate_key/usr/local/https/www.localhost.com. key;
Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Only TLS protocol is allowedSsl_ciphers ECDHE-RSA-AES256-SHA384: AES256-SHA2
. Ra accepts and reviews users' certificate applications, such as certificate cancellation and restoration applications; KMC is responsible for the generation, storage, management, backup, and recovery of encryption keys. The certificate publishing and query system generally uses the OCSP (Online Certificate Status Protocol, Online Certificate Status Protocol) Protocol to query User Certificates, the backup and recovery system is responsible for backi
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.