Implement OCSP stapling

[konklone]

OCSP stapling is a method for checking whether the SSL certificate for a website has been revoked at the very same time as you connect to the website. The revocation data is "stapled" to the SSL response at connection time.

Without OCSP stapling, browsers which do revocation checking (e.g. Firefox, but not Chrome) have to hit a web API that SSL certificate authorities provide, that offer a list of revoked certificates. Doing this is slow, has poorer security properties, and is a privacy leak (it shares browsing data with CAs).

It's not yet enabled in our nginx configuration, as I have a little more research to do -- especially in figuring out the instrumentation to test whether OCSP stapling is actually working.

[konklone]

A note that SSLMate has an excellent blog post on OCSP stapling implementation in nginx and Apache:

https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx

[konklone]

This is an upstream request of Federalist, but I think CloudFront supports OCSP stapling, so this may be solved for now.

[wslack]

@konklone should we have an issue in the federaist repo?

[konklone]

@wslack Yeah, it looks like it. SSL Labs says no OCSP stapling for 18f.gsa.gov: https://www.ssllabs.com/ssltest/analyze.html?d=18f.gsa.gov&s=52.84.213.151