From cdbed3e7ad8104a1b21bc88e446fd87465182638 Mon Sep 17 00:00:00 2001
From: Grant Slater <git@firefishy.com>
Date: Thu, 22 Aug 2019 20:31:18 +0100
Subject: [PATCH] nginx: Add ssl_stapling validation

---
 cookbooks/nginx/templates/default/nginx.conf.erb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cookbooks/nginx/templates/default/nginx.conf.erb b/cookbooks/nginx/templates/default/nginx.conf.erb
index 4b2c15fa0..ae0d8bd41 100644
--- a/cookbooks/nginx/templates/default/nginx.conf.erb
+++ b/cookbooks/nginx/templates/default/nginx.conf.erb
@@ -40,6 +40,11 @@ http {
     ssl_session_cache shared:SSL:50m;
     ssl_session_timeout 30m;
     ssl_stapling on;
+
+    # Validate the stapling response is signed by a trusted certificate
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+
     ssl_dhparam /etc/ssl/certs/dhparam.pem;
     resolver <%= @resolvers.join(" ") %>;
     resolver_timeout 5s;
-- 
2.43.2