From 66db1f8fd075a0160915814b2a9d945f123efcf4 Mon Sep 17 00:00:00 2001
From: lub <git@lubiland.de>
Date: Sat, 12 Sep 2020 01:32:03 +0200
Subject: [PATCH 1/2] add OCSP stapling to nginx.conf

It's not added in tls.conf, because apparently the mail ssl module
doesnt' support OCSP stapling.

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
^ exists

https://nginx.org/en/docs/mail/ngx_mail_ssl_module.html#ssl_stapling
^ missing

When the configured certificate doesn't have OCSP information, it'll
just log a warning during startup.
---
 core/nginx/conf/nginx.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 46db324f..bea822a5 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -58,6 +58,8 @@ http {
       listen [::]:443 ssl http2;
 
       include /etc/nginx/tls.conf;
+      ssl_stapling on;
+      ssl_stapling_verify on;
       ssl_session_cache shared:SSLHTTP:50m;
       add_header Strict-Transport-Security 'max-age=31536000';
 

From e8b67470800f7b9c0a808b9d0f71b5bd034e892f Mon Sep 17 00:00:00 2001
From: lub <git@lubiland.de>
Date: Sat, 12 Sep 2020 01:38:37 +0200
Subject: [PATCH 2/2] add newsfragemnt for #1618

---
 towncrier/newsfragments/1618.feature | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/1618.feature

diff --git a/towncrier/newsfragments/1618.feature b/towncrier/newsfragments/1618.feature
new file mode 100644
index 00000000..443f2b5c
--- /dev/null
+++ b/towncrier/newsfragments/1618.feature
@@ -0,0 +1 @@
+Enable OCSP stapling for the http server within nginx.