[cabfpub] OCSP Stapling in Apache and nginx

Ben Wilson ben at digicert.com
Tue Jul 8 17:28:04 UTC 2014


One of the agenda items we discussed at the face-to-face was the poor
adoption of OCSP stapling in Apache and nginx because it is not turned on by
default.  While it would be great if Apache and nginx could just turn on
OCSP stapling by default, to move this forward we should post instructions
on the web site for configuring OCSP stapling manually on these platforms.  

 

Here are the beginnings of a web page on implementing OCSP stapling.  (Or we
could figure out how to leverage these pages by Remy van Elst -
https://raymii.org/s/tutorials/OCSP_Stapling_on_Apache2.html and
https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html, or by someone
else.) 

 

What is OCSP Stapling?

The Online Certificate Status Protocol (OCSP) is a method that clients
(browsers and operating systems) use to obtain the validity status of an
X.509 digital certificate.  OCSP without stapling requires that the client
make an additional request during its TLS handshake with the server in order
to obtain that certificate status.  OCSP stapling allows the server to
pre-fetch and cache the OCSP response and deliver it to the client whenever
the client indicates that it supports OCSP stapling.  OCSP stapling results
in faster page loads and increases privacy because the client does not need
to communicate with the CA about its site visits.  

 

How do I enable OCSP Stapling?

OCSP stapling is currently supported by default in IIS 7+, but if you are
using Apache 2.4+ or Nginx 1.7.3+, you can also enable OCSP stapling
relatively easily by adding a few directives to your server's configuration
file(s).   If you operate in a more complex, shared, or load-balanced
system, then the following instructions may not suffice.  

 

Also, make sure that your server can make an outbound connection to your
CA's OCSP responder(s) by configuring your hosts table, firewall ports,
etc., and then test for connectivity and retrieval of OCSP responses by your
server.  

 


 

Apache 2.4+

Nginx 1.7.3+


Check your version

apache2 -v

nginx -v


File to modify

Virtual Host (or conf in sites-enabled if no virtual hosts are used)

nginx.conf


Edit configuration file

(CentOS/Fedora users replace apache2 with httpd)

sudo nano /etc/apache2/sites-enabled/example.com-ssl.conf

sudo nano /etc/nginx/ssl/nginx.conf

sudo nano /etc/nginx/sites-enabled/example.com.ssl

 

server {


# listen on port 443

       VirtualHost _default_:443

        listen   443;      .


# turn on SSL

       SSLEngine on  .

        ssl on;   .


# enable ocsp stapling

       SSLUseStapling on

        ssl_stapling on;


# point to DNS server 

 

        resolver 192.168.1.1;


# enable server to check OCSP

 

        ssl_stapling_verify on;


# set seconds to wait for OCSP response from CA

SSLStaplingResponderTimeout 5

# the ssl_stapling_verify directive requires a fully trusted certificate
chain as specified in the ssl_trusted_certificate

directive below


# prevent user error messages

SSLStaplingReturnResponderErrors off

 


# point to trusted certificate chain PEM file (all certificates- root,
intermediate, and server)

SSLCACertificateFile /etc/ssl/apache2/my_ca.crt

ssl_trusted_certificate /etc/nginx/ssl/mysite.crt;


# specify cached response  location

SSLStaplingCache shmcb:/var/run/ocsp(128000)

ssl_stapling_file ocsp_response;


# SSLStaplingCache must point to location outside of VirtualHost folder or
Apache will not start

}


Test before reloading

apachectl -t

service nginx configtest


Restart if OK

service apache2 reload

nginx -s reload

 

For additional Apache configuration options, see
http://httpd.apache.org/docs/trunk/mod/mod_ssl.html 

For additional nginx configuration options, see
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling and
http://nginx.com/wp-content/uploads/2014/03/nginx-modules-reference-r3.pdf.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140708/ced7f86f/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140708/ced7f86f/attachment.p7s>


More information about the Public mailing list