How To Configure OCSP Stapling
OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked. It was created as an alternative to CRL to reduce the SSL negotiation time. With CRL (Certificate Revocation List) the browser downloads a list of revoked certificate serial numbers and verifies the current certificate, which increases the SSL negotiation time. In OCSP the browser sends a request to a OCSP URL and receives a response containing the validity status of the certificate.
OCSP has major two issues:
- Privacy – Since OCSP requires the browser to contact the CA to confirm certificate validity it compromises privacy. The CA knows what website is being accessed and who accessed it.
- Load – If a HTTPS website gets lots of visitors the CA’s OCSP server has to handle all the OCSP requests made by the visitors.
When OCSP stapling is implemented the certificate holder queries the OCSP server themselves and caches the response. This response is “stapled” with the TLS/SSL Handshake via the Certificate Status Request extension response. As a result the CA’s servers are not burdened with requests and browsers no longer need to disclose users’ browsing habits to any third party.
Check for OCSP stapling support
OCSP stapling is supported on
- Apache HTTP Server (>=2.3.3)
- Nginx (>=1.3.7)
Please check the version of your installation with the following commands before proceeding.
Apache:
apache2 -v
Nginx:
nginx -v
Implement OCSP
If you followed our tutorial on How to create your own certificate authority you can now use this section to extend the capabilities of your CA. If not, you can skip to the next section
Assuming that you already have an OpenSSL Certificate Authority set up, you will need to make a couple of changes to your openssl.cnf file.
Add a new line to the usr_cert stanza
[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://<uri to server>
Create a new stanza
[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
For this example, the OCSP server will be running on n0where.net on port 8888, so the authorityInfoAccess line will look like:
authorityInfoAccess = OCSP;URI:http://n0where.net:8888
This line will add a new attribute to issued certs that tells clients where the CA’s OCSP server is located so it can check the validity of the cert. The new v3 template assigns a neccesary attribute “OCSPSigning” to any certificate issued under this template. We will need to issue an OCSP signing certificate to the OCSP server with the OCSPSigning attribute, otherwise signature verification will fail when a cert is being checked. This is the first thing we will do:
openssl req -new -nodes -out n0where.net.csr -keyout n0where.net.key -extensions v3_OCSP
Sign the request with the CA signing key:
openssl ca -in auth.n0where.net.csr -out auth.n0where.net.crt -extensions v3_OCSP
OpenSSL should show the signing request, look for this in the X509v3 extensions:
X509v3 Extended Key Usage:
OCSP Signing
Sign and commit the request. Now, issue a throwaway cert and sign it
openssl req -new -nodes -out dummy.n0where.net.csr -keyout dummy.n0where.net.key
openssl ca -in dummy.n0where.net.csr -out dummy.n0where.net.crt
Next, start up the OCSP server.
openssl ocsp -index /etc/pki/CA/index.txt -port 8888 -rsigner n0where.net.crt -rkey n0where.net.key -CA /etc/pki/CA/cacert.pem -text -out log.txt
Once the dummy cert has been been issued and the OCSP server started, we can test the cert using the “openssl ocsp” command. To verify a certificate with OpenSSL, the command syntax is:
openssl ocsp -CAfile <cafile pem> -issuer <issuing ca pem> -cert <certificate to check> -url <url to OCSP server> -resp_text
Test our dummy file:
openssl ocsp -CAfile cacert.pem -issuer cacert.pem -cert dummy.n0where.net.crt -url http://n0where.net:8888 -resp_text
There’s going to be a large block of text flooding the screen. Some of the more important text:
OCSP Response Data:
OCSP Response Status: successful (0×0)
Response Type: Basic OCSP Response
…
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 922CD93C975EDC121DB25B1A55BA9B544E06F9B3
Issuer Key Hash: 322A8DBF79BE1A934543DC4F24FC69220A2803BA
Serial Number: 06
Cert Status: good
…
Response verify OK
dummy.n0where.net.crt: good
This Update: Nov 17 15:55:54 2014 GMT
Now revoke the cert, regenerate the CRL and restart the OCSP server (the server must be restarted every time a cert is issued or revoked). If the OCSP signing certificate was not issued with the OCSPSigning attribute, OpenSSL will gripe that the verification did not work properly. Reissue the signing cert with the OCSPSigning attribute for the server.
openssl ca -revoke /etc/pki/CA/newcerts/06.pem
openssl ca -gencrl -out /etc/pki/CA/crl.pem
Now we can verify the certificate again:
openssl ocsp -CAfile /etc/pki/CA/cacert.pem -issuer /etc/pki/CA/cacert.pem -cert dummy.n0where.net.crt -url http://n0where.net:8888 -resp_text
OCSP Response Status: successful (0×0)
Response Type: Basic OCSP Response
…
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 922CD93C975EDC121DB25B1A55BA9B544E06F9B3
Issuer Key Hash: 322A8DBF79BE1A934543DC4F24FC69220A2803BA
Serial Number: 06
Cert Status: revoked
Revocation Time: Nov 17 16:07:36 2014 GMT
This Update: Nov 17 16:12:08 2014 GMT
…
Response verify OK
dummy.n0where.net.crt: revoked
This Update: Nov 17 16:12:08 2014 GMT
Revocation Time: Nov 17 16:07:36 2014 GMT
If you were to install this cert on a website, and the CA certificate was installed, any modern browser should refuse to connect to the site as the cert has been revoked.
Configuring OCSP Stapling on Apache
Edit the SSL virtual hosts file and place these lines inside the <VirtualHost></VirtualHost> directive.
sudo nano /etc/apache2/sites-enabled/n0where.net.ssl.conf
SSLCACertificateFile /etc/ssl/ca-certs.pem
SSLUseStapling on
A cache location has to be specified outside <VirtualHost></VirtualHost>
.
sudo nano /etc/apache2/sites-enabled/n0where.net.ssl.conf
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
The virtual host file will look this:
/etc/apache2/sites-enabled/n0where.net.ssl.conf
<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
<VirtualHost *:443>
ServerAdmin admin@n0where.net
ServerName n0where.net
DocumentRoot /var/www
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/n0where.net/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/n0where.net/apache.key
SSLCACertificateFile /etc/ssl/ca-certs.pem
SSLUseStapling on
</VirtualHost>
</IfModule>
Do a configtest
to check for errors.
apachectl -t
Reload if Syntax OK
is displayed.
service apache2 reload
Access the website on IE (on Vista and above) or Firefox 26+ and check the error log.
tail /var/log/apache2/error.log
If the file defined in the SSLCACertificateFile
directive is missing, a certificate error similar to the following is displayed.
[Mon Nov 17 17:36:44.055900 2014] [ssl:error] [pid 1491:tid 139921007208320] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
[Mon Nov 17 23:36:44.056018 2014] [ssl:error] [pid 1491:tid 139921007208320] AH02235: Unable to configure server certificate for stapling
Configuring OCSP stapling on Nginx
Edit the SSL virtual hosts file and place the following directives inside the server {}
section.
sudo nano /etc/nginx/sites-enabled/n0where.net.ssl
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
Nginx virtual host file will look like this:
/etc/nginx/sites-enabled/n0where.net.ssl
server {
listen 443;
server_name n0where.net;
root /usr/share/nginx/www;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/n0where.net/server.crt;
ssl_certificate_key /etc/nginx/ssl/n0where.net/server.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
}
Do a configtest
to see if everything is correct.
service nginx configtest
Then reload the nginx
service.
service nginx reload
Access the website on IE (on Vista and above) or Firefox 26+ and check the error log.
tail /var/log/nginx/error.log
If the file defined in ssl_trusted_certificate
is missing a certificate an error similar to the following is displayed:
2014/11/17 17:55:16 [error] 1580#0: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: {your certificate provider}
If no such errors are displayed proceed to the next step.
Testing OCSP Stapling
This command’s output displays a section which says if your web server responded with OCSP data. We grep
this particular section and display it.
echo QUIT | openssl s_client -connect n0where.net:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
Replace n0where.net with your domain name. If OCSP stapling is working properly the following output is displayed.
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 4C58CB25F0414F52F428C881439BA6A8A0E692E5
Produced At: Nov 17 08:47:00 2014 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: B8A299F09D061DD5C1588F76CC89FF57092B94DD
Issuer Key Hash: 4C58CB25F0414F52F428C881439BA6A8A0E692E5
Serial Number: 0161FF00CCBFF6C07D2D3BB4D8340A23
Cert Status: good
This Update: Nov 17 08:45:00 2014 GMT
Next Update: Nov 20 09:00:00 2014 GMT
No output is displayed if OCSP stapling is not working.