With OCSP stapling the HTTP server can give a cached OCSP response to the client, which saves the client from doing the lookup itself. This helps reduce the overhead from the TLS handshake.
Uses the Google public DNS servers (IPv4 and IPv6) by default, but can be overridden for groups and hosts to use specific ones from the hosting provider—Linode provides DNS servers that are one hop away from its VPSes, for example.
We've been waiting until our hosts were running openssl >= 1.0.2 to enable this (Ubuntu 16.04 in this case).
With OCSP stapling the HTTP server can give a cached OCSP response to the client, which saves the client from doing the lookup itself. This helps reduce the overhead from the TLS handshake.
Uses the Google public DNS servers (IPv4 and IPv6) by default, but can be overridden for groups and hosts to use specific ones from the hosting provider—Linode provides DNS servers that are one hop away from its VPSes, for example.
We've been waiting until our hosts were running openssl >= 1.0.2 to enable this (Ubuntu 16.04 in this case).
See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling See: https://developers.google.com/speed/public-dns/docs/using See: https://github.com/ilri/DSpace/issues/38