Should a website trying to increase performance that uses the CloudFlare CDN (or any CDN really) who already do OCSP stapling configure OCSP stapling on their instance of Nginx if "Full SSL" setting on CloudFlare is used?
In this setup when a browser requests a page from a CloudFlare protected/cached site they connect to CloudFlare using TLS, who then connects to the source web server using TLS to retrieve the freshly generated page. This means two sets of SSL negotiation are done, increasing the time required to retrieve the page. As an aside, HTTP/2 means the connection is only typically done once per website, regardless of the number of resources to download.
If CloudFlare checks the CRL for the source web server certificate I imagine OCSP stapling could reduce the checks required, and therefore the SSL setup time. However I'm not an expert in this area so I'd appreciate thoughts on this.
Some information from CloudFlare regarding whether it is helpful (which suggests it won't help performance)
Thanks for your question. At this time we don't do revocation checking on the certificates served by origin. We may at some point, however, so would suggest stapling OCSP if using a publicly trusted certificate (and not much difficulty).
To reiterate, the official response from CloudFlare is
At this time we don't do revocation checking on the certificates served by origin. We may at some point, however, so would suggest stapling OCSP if using a publicly trusted certificate (and not much difficulty).
To verify this I did a test run with stapling both off and on, the results are below. My methodology was to run five webpagetest.org tests with the setting on and off, take the median run, and average those. I ran the tests twice from each location with the setting both on and off.
The result is that stapling is 2.5% faster, but I suspect the margin of error means there's no significant difference.