OCSP & nginx Settings

Configure OCSP Stapling and configure certain nginx settings.

Sets the maximum allowed size of the client request body. If the size in a request
exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client.
Please be aware that browsers cannot correctly display this error. Setting size to 0 disables
checking of client request body size.

NB: This is set to 128M in StoredSafe for good reasons. Do not change it, unless told so
by StoredSafe support (support@storedsafe.com) staff.

client_max_body_size: 128M

Change settings? (y/<N>):

OCSP stapling allows the certificate presenter (i.e. web server) to query the OCSP
responder directly and then cache the response.

OCSP stapling addresses a privacy concern with OCSP because the CA no longer receives the
revocation requests directly from the client (browser). OCSP stapling also addresses
concerns about OCSP SSL negotiation delays by removing the need for a separate network
connection to a CA’s responders.

NB: Enabling OCSP Stapling requires the StoredSafe instance to be able to query a resolver
on port 53 (UDP and TCP) to resolve the IP address of the OCSP responder, and need to
reach the external OCSP responder on port 80 TCP. (Proxy NOT supported)

OCSP Stapling: DISABLED

Enable OCSP Stapling on this node? (<Y>/n):
Install a new Trusted CA chain? (<Y>/n):

For verification to work, the certificate of the server certificate
issuer, the root certificate, and all intermediate certificates should be
configured as trusted using the ssl_trusted_certificate directive.

Search the directory "/isodevice/var/transfer" for files? (Press No for USB) (<Y>/n):
Using the directory "/isodevice/var/transfer".

Available files in /isodevice/var/transfer:

ocsp-ca.pem

Which file has the Trusted CA chain? (Q to Quit) <Socsp-ca.pem>: ocsp-ca.pem

Issuers in the CA chain (/isodevice/var/transfer/ocsp-ca.pem):
subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
subject=O = Digital Signature Trust Co., CN = DST Root CA X3
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3

Install the new CA Chain for OCSP validation? (<Y>/n):
Backup "/isodevice/persistent/etc/nginx/ssl/storedsafe-ocsp-ca.pem" as "/isodevice/persistent/etc/nginx/ssl/storedsafe-ocsp-ca.pem.old"? (<Y>/n):
New CA Chain for OCSP Stapling validation installed successfully.

DNS Resolver #0 (. to end input, Q to quit) <192.168.12.8>:
DNS Resolver #1 (. to end input, Q to quit) <.>: .

Save settings? (y/<N>): y
Restart nginx to activate the new settings? (<Y>/n):

(Press any key to continue)

If OCSP stapling is already enabled the current configuration is shown.

OCSP Stapling: ENABLED
Resolver: 192.168.12.8
Issuers in the CA chain (/isodevice/persistent/etc/nginx/ssl/storedsafe-ocsp-ca.pem):
subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
subject=O = Digital Signature Trust Co., CN = DST Root CA X3
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
Check status of OCSP Stapling on this node? (<Y>/n):
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = R3
    Produced At: May  2 23:41:00 2023 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
      Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
      Serial Number: 035CA8DBDB9941D10EDDBB93F0DEB1EEDDCE
    Cert Status: good
    This Update: May  2 23:00:00 2023 GMT
    Next Update: May  9 22:59:58 2023 GMT
Disable OCSP Stapling on this node? (y/<N>):
Change settings? (y/<N>):