* Enable OCSP stapling verification. Disable SSLv3.

Author: António P. P. Almeida

nginx.conf

@@ -22,9 +22,6 @@ http {
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
 
-    ## FastCGI.
-    include /etc/nginx/fastcgi.conf;
-
     ## Default log and error files.
     access_log /var/log/nginx/access.log;
     error_log /var/log/nginx/error.log;
@@ -40,11 +37,6 @@ http {
     ## connections nginx accepts. 1m means 32000 simultaneous
     ## sessions. We need to define for each server the limit_conn
     ## value refering to this or other zones.
-    ## ** This syntax requires nginx version >=
-    ## ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older
-    ## ** version then use the limit_zone directive below
-    ## ** instead. Comment out this
-    ## ** one if not using nginx version >= 1.1.8.
     limit_conn_zone $binary_remote_addr zone=arbeit:10m;
 
     ## Define a zone for limiting the number of simultaneous
@@ -119,6 +111,9 @@ http {
 
     ## Enable OCSP stapling. A better way to revocate server certificates.
     ssl_stapling on;
+    ## Enable verification of OCSP stapling responses by the server.
+    ssl_stapling_verify on;
+
     ## Fill in with your own resolver.
     resolver 8.8.8.8;
 
@@ -157,6 +152,9 @@ http {
     ## See http://nginx.org/en/docs/hash.html
     variables_hash_max_size 1024;
 
+    ## FastCGI.
+    include /etc/nginx/fastcgi.conf;
+
     ## Include the upstream servers for PHP FastCGI handling config.
     ## This one uses the FCGI process listening on TCP sockets.
     include upstream_phpcgi_tcp.conf;
@@ -219,4 +217,3 @@ http {
     ## Include all vhosts.
     include /etc/nginx/sites-enabled/*;
 }
-