From 41ad1d62ad8e1c67cd42b70fcbbdd229b0a419f7 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 27 Feb 2025 00:18:32 -0300 Subject: [PATCH] Remove OCSP stapling Let's Encrypt is ending its OCSP support. See https://letsencrypt.org/2024/12/05/ending-ocsp/ for the timeline. This removes all OCSP stapling functionality in Trellis. While this could be kept for other SSL certificate providers, there are a few reasons to remove this entirely: 1. the certificate authority would need to provide OCSP support 2. the vast majority of Trellis users use Let's Encrypt only 3. there are privacy concerns regardless --- group_vars/all/helpers.yml | 1 - .../h5bp/directive-only/ssl-stapling.conf | 34 ------------------- .../templates/h5bp/directive-only/ssl.conf | 2 -- .../templates/wordpress-site.conf.j2 | 3 -- 4 files changed, 40 deletions(-) delete mode 100644 roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 29d2c29d8a..7db67b83f8 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -16,7 +16,6 @@ site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defin site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" multisite_subdomains_wildcards: "{{ item.value.multisite.subdomains | default(false) | ternary( site_hosts_canonical | map('regex_replace', '^(www\\.)?(.*)$', '*.\\2') | list, [] ) }}" ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default(false) }}" -ssl_stapling_enabled: "{{ item.value.ssl is defined and item.value.ssl.stapling_enabled | default(true) }}" cron_enabled: "{{ site_env.disable_wp_cron and (not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true))) }}" sites_use_ssl: "{{ wordpress_sites.values() | map(attribute='ssl') | selectattr('enabled') | list | count > 0 }}" diff --git a/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf b/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf deleted file mode 100644 index 95cc175ce4..0000000000 --- a/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf +++ /dev/null @@ -1,34 +0,0 @@ -# ---------------------------------------------------------------------- -# | Online Certificate Status Protocol stapling | -# ---------------------------------------------------------------------- - -# OCSP is a lightweight, only one record to help clients verify the validity of -# the server certificate. -# OCSP stapling allows the server to send its cached OCSP record during the TLS -# handshake, without the need of 3rd party OCSP responder. -# -# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling -# https://tools.ietf.org/html/rfc6066#section-8 -# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling -# -# (1) Use Cloudflare 1.1.1.1 DNS resolver -# https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/ -# -# (2) Use Google 8.8.8.8 DNS resolver -# https://developers.google.com/speed/public-dns/docs/using -# -# (3) Use Dyn DNS resolver -# https://help.dyn.com/internet-guide-setup/ - -ssl_stapling on; -ssl_stapling_verify on; - -resolver - # (1) - 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] - # (2) - 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] - # (3) - # 216.146.35.35 216.146.36.36 - valid=60s; -resolver_timeout 2s; diff --git a/roles/nginx/templates/h5bp/directive-only/ssl.conf b/roles/nginx/templates/h5bp/directive-only/ssl.conf index 20d98766b3..19e62f03b7 100644 --- a/roles/nginx/templates/h5bp/directive-only/ssl.conf +++ b/roles/nginx/templates/h5bp/directive-only/ssl.conf @@ -39,5 +39,3 @@ keepalive_timeout 300s; # up from 75 secs default # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors. #ssl_certificate /etc/nginx/default_ssl.crt; #ssl_certificate_key /etc/nginx/default_ssl.key; - -# Consider using OCSP Stapling as shown in ssl-stapling.conf diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 60b2b356d2..2cf97593dc 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -79,9 +79,6 @@ server { {% if ssl_enabled -%} # SSL configuration include h5bp/directive-only/ssl.conf; - {% if ssl_stapling_enabled -%} - include h5bp/directive-only/ssl-stapling.conf; - {% endif -%} ssl_buffer_size 1400; # 1400 bytes to fit in one MTU