Raymii
New Member
OCSP stapling is an enhancement to the standard OCSP protocol that delivers OCSP responses from the server with the certificate, eliminating the need for relying parties (web users) to check OCSP responses with the issuing CA. This has the effect of reducing bandwidth, improving perceived site performance, and increasing security for everyone involved in establishing the secure session.
What is OCSP Stapling
OCSP stapling is defined in the IETF RFC 6066. The term "stapling" is a popular term used to describe how the OCSP response is obtained by the web server. The web server caches the response from the CA that issued the certificate. When an SSL/TLS handshake is initiated, the response is returned by the web server to the client by attaching the cached OCSP response to the CertificateStatus message. To make use of OCSP stapling, a client must include the "status_request" extension with its SSL/TSL Client "Hello" message.
OCSP stapling presents several advantages including the following:
Requirements
You need at least Apache 2.3.3 and later plus OpenSSL 0.9.8h or later for this to work. This is not available in the current Ubuntu LTS releases (12.04), it has 2.2.22 and CentOS 6 has 2.2.15. Either search for PPA's/unofficial repositories or compile them yourself.
For nginx You need at least nginx 1.3.7. This is not available in the current Ubuntu LTS releases (12.04), it has 1.1.19 and on CentOS you need EPEL or the official repositories. However, it is easy to install the latest version of nginx.
You also need create a firewall exception to allow your server to make outbound connections to the upstream OCSP's. You can view all OCSP URI's from a website using this one liner:
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect google.com:443 -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -ocsp_uri; done; IFS=$OLDIFS
It results for google.com in:
http://clients1.google.com/ocsp
http://gtglobal-ocsp.geotrust.com
Replace google.com with your domain. Also note that you need the GNU version of sed and bash. It does not work on OS X or BSD.
View the full tutorial for NGINX: https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html
View the full tutorial for Apache2: https://raymii.org/s/tutorials/OCSP_Stapling_on_Apache2.html
What is OCSP Stapling
OCSP stapling is defined in the IETF RFC 6066. The term "stapling" is a popular term used to describe how the OCSP response is obtained by the web server. The web server caches the response from the CA that issued the certificate. When an SSL/TLS handshake is initiated, the response is returned by the web server to the client by attaching the cached OCSP response to the CertificateStatus message. To make use of OCSP stapling, a client must include the "status_request" extension with its SSL/TSL Client "Hello" message.
OCSP stapling presents several advantages including the following:
- The relying party receives the status of the web servers certificate when it is needed (during the SSL/TLS handshake).
- No additional HTTP connection needs to be set up with the issuing CA.
- OCSP stapling provides added security by reducing the number of attack vectors.
Requirements
You need at least Apache 2.3.3 and later plus OpenSSL 0.9.8h or later for this to work. This is not available in the current Ubuntu LTS releases (12.04), it has 2.2.22 and CentOS 6 has 2.2.15. Either search for PPA's/unofficial repositories or compile them yourself.
For nginx You need at least nginx 1.3.7. This is not available in the current Ubuntu LTS releases (12.04), it has 1.1.19 and on CentOS you need EPEL or the official repositories. However, it is easy to install the latest version of nginx.
You also need create a firewall exception to allow your server to make outbound connections to the upstream OCSP's. You can view all OCSP URI's from a website using this one liner:
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect google.com:443 -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -ocsp_uri; done; IFS=$OLDIFS
It results for google.com in:
http://clients1.google.com/ocsp
http://gtglobal-ocsp.geotrust.com
Replace google.com with your domain. Also note that you need the GNU version of sed and bash. It does not work on OS X or BSD.
View the full tutorial for NGINX: https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html
View the full tutorial for Apache2: https://raymii.org/s/tutorials/OCSP_Stapling_on_Apache2.html
Last edited by a moderator: