Commit 0c675570 authored by toastal's avatar toastal
Browse files

nixos/h2o: disable OCSP stapling w/ Let’s Encrypt (support sunset) 

It was noted in the TLS recommendations comment, but it actually should
be disabled everywhere if ACME is used as H2O has in enabled by default.

More info: <https://letsencrypt.org/2024/12/05/ending-ocsp/>
parent 54c58104

nixos/modules/services/web-servers/h2o/default.nix

+27 −18
Original line number Diff line number Diff line
@@ -165,13 +165,22 @@ let 


                hasTLSRecommendations = tlsRecommendations != null && mozTLSRecs != null;



                # NOTE: Let’s Encrypt has sunset OCSP stapling. Mozilla’s

                # ssl-config-generator is at present still recommending this setting, but

                # this module will skip setting a stapling value as Let’s Encrypt +

                # ACME is the most likely use case.

                # ATTENTION: Let’s Encrypt has sunset OCSP stapling.

                tlsRecAttrs =

                  # If using ACME, this module will disable H2O’s default OCSP

                  # stapling.

                  #

                  # See: https://letsencrypt.org/2024/12/05/ending-ocsp/

                  lib.optionalAttrs (builtins.elem names.cert certNames.all) {

                    ocsp-update-interval = 0;

                  }

                  # Mozilla’s ssl-config-generator is at present still

                  # recommending this setting as well, but this module will

                  # skip setting a stapling value as Let’s Encrypt + ACME is

                  # the most likely use case.

                  #

                  # See: https://github.com/mozilla/ssl-config-generator/issues/323

                tlsRecAttrs = lib.optionalAttrs hasTLSRecommendations (

                  // lib.optionalAttrs hasTLSRecommendations (

                    let

                      recs = mozTLSRecs.${tlsRecommendations};

                    in