<div dir="ltr">Great initiative!</div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><span style="color:rgb(136,136,136)">-- </span><br style="color:rgb(136,136,136)"><div dir="ltr"><font color="#999999" style="color:rgb(136,136,136)"><b>Chema López</b></font><div>
<font color="#999999"><b>Gestor de Proyectos - Departamento Técnico</b></font></div><div style="color:rgb(136,136,136)"><font color="#999999"><b>AC Firmaprofesional, S.A.</b></font><br></div><div style="color:rgb(136,136,136)">
<br></div><div style="color:rgb(136,136,136)"><font color="#999999">Edificio ESADECREAPOLIS - 1B13</font></div><div style="color:rgb(136,136,136)"><font color="#999999">08173 Sant Cugat del Vallès, Barcelona. </font></div>
<div style="color:rgb(136,136,136)"><font color="#999999">T. 934 774 245</font></div><div style="color:rgb(136,136,136)"><font color="#999999">M. 666 429 224</font></div><div style="color:rgb(136,136,136)"></div></div></div>
</div>
<br><br><div class="gmail_quote">On Tue, Jul 8, 2014 at 7:28 PM, Ben Wilson <span dir="ltr"><<a href="mailto:ben@digicert.com" target="_blank">ben@digicert.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal">One of the agenda items we discussed at the face-to-face was the poor adoption of OCSP stapling in Apache and nginx because it is not turned on by default. While it would be great if Apache and nginx could just turn on OCSP stapling by default, to move this forward we should post instructions on the web site for configuring OCSP stapling manually on these platforms. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Here are the beginnings of a web page on implementing OCSP stapling. (Or we could figure out how to leverage these pages by Remy van Elst - <a href="https://raymii.org/s/tutorials/OCSP_Stapling_on_Apache2.html" target="_blank">https://raymii.org/s/tutorials/OCSP_Stapling_on_Apache2.html</a> and <a href="https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html" target="_blank">https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html</a>, or by someone else.) <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><b>What is OCSP Stapling?</b><u></u><u></u></p><p class="MsoNormal">The Online Certificate Status Protocol (OCSP) is a method that clients (browsers and operating systems) use to obtain the validity status of an X.509 digital certificate. OCSP without stapling requires that the client make an additional request during its TLS handshake with the server in order to obtain that certificate status. OCSP stapling allows the server to pre-fetch and cache the OCSP response and deliver it to the client whenever the client indicates that it supports OCSP stapling. OCSP stapling results in faster page loads and increases privacy because the client does not need to communicate with the CA about its site visits. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><b>How do I enable OCSP Stapling?<u></u><u></u></b></p><p class="MsoNormal">OCSP stapling is currently supported by default in IIS 7+, but if you are using Apache 2.4+ or Nginx 1.7.3+, you can also enable OCSP stapling relatively easily by adding a few directives to your server’s configuration file(s). If you operate in a more complex, shared, or load-balanced system, then the following instructions may not suffice. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Also, make sure that your server can make an outbound connection to your CA’s OCSP responder(s) by configuring your hosts table, firewall ports, etc., and then test for connectivity and retrieval of OCSP responses by your server. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><table border="1" cellspacing="0" cellpadding="0" style="border-collapse:collapse;border:none"><tbody><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><u></u> <u></u></p></td><td width="499" valign="top" style="width:299.25pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"><b>Apache 2.4+<u></u><u></u></b></p>
</td><td width="499" valign="top" style="width:299.25pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"><b>Nginx 1.7.3+<u></u><u></u></b></p></td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal">Check your version<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal">apache2 -v<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal">nginx -v<u></u><u></u></p></td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal">File to modify<u></u><u></u></p>
</td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal">Virtual Host (or conf in sites-enabled if no virtual hosts are used)<u></u><u></u></p>
</td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal">nginx.conf<u></u><u></u></p>
</td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal">Edit configuration file<u></u><u></u></p><p class="MsoNormal">
(CentOS/Fedora users replace apache2 with httpd)<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal">sudo nano /etc/apache2/sites-enabled/example.com-ssl.conf<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal">sudo nano /etc/nginx/ssl/nginx.conf<u></u><u></u></p><p class="MsoNormal">sudo nano /etc/nginx/sites-enabled/example.com.ssl<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">
server {<u></u><u></u></p></td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"># listen on port 443<u></u><u></u></p>
</td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"> VirtualHost _default_:443<u></u><u></u></p>
</td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"> listen 443; …<u></u><u></u></p>
</td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"># turn on SSL<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"> SSLEngine on …<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"> ssl on; …<u></u><u></u></p></td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"># enable ocsp stapling<u></u><u></u></p>
</td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"> SSLUseStapling on<u></u><u></u></p>
</td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"> ssl_stapling on;<u></u><u></u></p>
</td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"># point to DNS server <u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><u></u> <u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"> resolver 192.168.1.1;<u></u><u></u></p></td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal">
# enable server to check OCSP<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><u></u> <u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"> ssl_stapling_verify on;<u></u><u></u></p></td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal">
# set seconds to wait for OCSP response from CA<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal">SSLStaplingResponderTimeout 5<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"># the ssl_stapling_verify directive requires a fully trusted certificate chain as specified in the ssl_trusted_certificate<u></u><u></u></p><p class="MsoNormal">directive below<u></u><u></u></p></td>
</tr>
<tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"># prevent user error messages<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal">SSLStaplingReturnResponderErrors off<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><u></u> <u></u></p></td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"># point to trusted certificate chain PEM file (all certificates- root, intermediate, and server)<u></u><u></u></p>
</td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal">SSLCACertificateFile /etc/ssl/apache2/my_ca.crt<u></u><u></u></p>
</td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal">ssl_trusted_certificate /etc/nginx/ssl/mysite.crt;<u></u><u></u></p>
</td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal"># specify cached response location<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal">SSLStaplingCache shmcb:/var/run/ocsp(128000)<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal">ssl_stapling_file ocsp_response;<u></u><u></u></p></td></tr><tr><td width="806" colspan="2" valign="top" style="width:483.45pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"># SSLStaplingCache must point to location outside of VirtualHost folder or Apache will not start<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal">}<u></u><u></u></p></td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal">Test before reloading<u></u><u></u></p>
</td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal">apachectl -t<u></u><u></u></p>
</td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal">service nginx configtest<u></u><u></u></p>
</td></tr><tr><td width="307" valign="top" style="width:184.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt"><p class="MsoNormal">Restart if OK<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal">service apache2 reload<u></u><u></u></p></td><td width="499" valign="top" style="width:299.25pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal">nginx -s reload<u></u><u></u></p></td></tr></tbody></table><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><b>For </b>additional <b>Apache</b> configuration options, see <a href="http://httpd.apache.org/docs/trunk/mod/mod_ssl.html" target="_blank">http://httpd.apache.org/docs/trunk/mod/mod_ssl.html</a> <u></u><u></u></p>
<p class="MsoNormal"><b>For </b>additional<b> nginx </b>configuration options, see <a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling" target="_blank">http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling</a> and <a href="http://nginx.com/wp-content/uploads/2014/03/nginx-modules-reference-r3.pdf" target="_blank">http://nginx.com/wp-content/uploads/2014/03/nginx-modules-reference-r3.pdf</a>.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p></div></div><br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div>