1 Topic by Thierry

  • Thierry
  • Member
  • Offline
  • Registered: 2015-08-09
  • Posts: 180

Topic: OCSP on iRedmail ?

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.3
- Linux/BSD distribution name and version: Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Mysql
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====
Hi,
Is there a "special" way to implement OCSP ?
I have followed documentation on internet, but I still have: OCSP response: no response sent

Thx

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: OCSP on iRedmail ?

Excuse me, what do you mean "OCSP"?

3 Reply by Thierry

  • Thierry
  • Member
  • Offline
  • Registered: 2015-08-09
  • Posts: 180

Re: OCSP on iRedmail ?

Online Certificate Status Protocol (OCSP) record ....
The clients should verify the validity of the server certificate ....

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Thx

Thx

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: OCSP on iRedmail ?

Well, I'm personally not familiar with OCSP, but searching "Linux OCSP" on Google shows many useful articles. And OCSP is not part of iRedMail, i'm so sorry that i can help in this case. I suggest you wait for others' reply, or dig with Google.

5 Reply by SteveLuxe (edited by SteveLuxe 2016-01-07 07:52:20)

  • SteveLuxe
  • Member
  • Offline
  • Registered: 2015-06-02
  • Posts: 115

Re: OCSP on iRedmail ?

I have OCSP Stapling enabled on one of my other servers, and my configuration is very similar to what you have listed.

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
ssl_trusted_certificate /path/to/ca-certs.pem;

You may need to specify where your intermediate certificates are located if you haven't already. Your server needs to be able to check the intermediate certificate. It's much more straight-forward with Apache:

SSLCACertificateFile /path/to/ca-certs.pem
SSLUseStapling on

I've had success using both of these configurations for both Nginx and Apache.

OCSP Stapling is actually a really good way to help prevent man-in-the-middle attacks. It queries your certificate authority issuer and validates the status of your SSL Certificates, in order to prevent the client from having to connect to your CA, instead, in order to validate your SSL Certificates. It can speed things up a bit when negotiating an SSL connection from client to server.

Here's a great link which explains in detail for both Apache & NGINX: https://www.digitalocean.com/community/ … -and-nginx