[cabfpub] OCSP Stapling in Apache and nginx
Chema López González
clopez at firmaprofesional.com
Tue Jul 22 11:43:45 UTC 2014
Great initiative!
--
*Chema López*
*Gestor de Proyectos - Departamento Técnico*
*AC Firmaprofesional, S.A.*
Edificio ESADECREAPOLIS - 1B13
08173 Sant Cugat del Vallès, Barcelona.
T. 934 774 245
M. 666 429 224
On Tue, Jul 8, 2014 at 7:28 PM, Ben Wilson <ben at digicert.com> wrote:
> One of the agenda items we discussed at the face-to-face was the poor
> adoption of OCSP stapling in Apache and nginx because it is not turned on
> by default. While it would be great if Apache and nginx could just turn on
> OCSP stapling by default, to move this forward we should post instructions
> on the web site for configuring OCSP stapling manually on these platforms.
>
>
>
> Here are the beginnings of a web page on implementing OCSP stapling. (Or
> we could figure out how to leverage these pages by Remy van Elst -
> https://raymii.org/s/tutorials/OCSP_Stapling_on_Apache2.html and
> https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html, or by someone
> else.)
>
>
>
> *What is OCSP Stapling?*
>
> The Online Certificate Status Protocol (OCSP) is a method that clients
> (browsers and operating systems) use to obtain the validity status of an
> X.509 digital certificate. OCSP without stapling requires that the client
> make an additional request during its TLS handshake with the server in
> order to obtain that certificate status. OCSP stapling allows the server
> to pre-fetch and cache the OCSP response and deliver it to the client
> whenever the client indicates that it supports OCSP stapling. OCSP
> stapling results in faster page loads and increases privacy because the
> client does not need to communicate with the CA about its site visits.
>
>
>
> *How do I enable OCSP Stapling?*
>
> OCSP stapling is currently supported by default in IIS 7+, but if you are
> using Apache 2.4+ or Nginx 1.7.3+, you can also enable OCSP stapling
> relatively easily by adding a few directives to your server’s configuration
> file(s). If you operate in a more complex, shared, or load-balanced
> system, then the following instructions may not suffice.
>
>
>
> Also, make sure that your server can make an outbound connection to your
> CA’s OCSP responder(s) by configuring your hosts table, firewall ports,
> etc., and then test for connectivity and retrieval of OCSP responses by
> your server.
>
>
>
>
>
> *Apache 2.4+*
>
> *Nginx 1.7.3+*
>
> Check your version
>
> apache2 -v
>
> nginx -v
>
> File to modify
>
> Virtual Host (or conf in sites-enabled if no virtual hosts are used)
>
> nginx.conf
>
> Edit configuration file
>
> (CentOS/Fedora users replace apache2 with httpd)
>
> sudo nano /etc/apache2/sites-enabled/example.com-ssl.conf
>
> sudo nano /etc/nginx/ssl/nginx.conf
>
> sudo nano /etc/nginx/sites-enabled/example.com.ssl
>
>
>
> server {
>
> # listen on port 443
>
> VirtualHost _default_:443
>
> listen 443; …
>
> # turn on SSL
>
> SSLEngine on …
>
> ssl on; …
>
> # enable ocsp stapling
>
> SSLUseStapling on
>
> ssl_stapling on;
>
> # point to DNS server
>
>
>
> resolver 192.168.1.1;
>
> # enable server to check OCSP
>
>
>
> ssl_stapling_verify on;
>
> # set seconds to wait for OCSP response from CA
>
> SSLStaplingResponderTimeout 5
>
> # the ssl_stapling_verify directive requires a fully trusted certificate
> chain as specified in the ssl_trusted_certificate
>
> directive below
>
> # prevent user error messages
>
> SSLStaplingReturnResponderErrors off
>
>
>
> # point to trusted certificate chain PEM file (all certificates- root,
> intermediate, and server)
>
> SSLCACertificateFile /etc/ssl/apache2/my_ca.crt
>
> ssl_trusted_certificate /etc/nginx/ssl/mysite.crt;
>
> # specify cached response location
>
> SSLStaplingCache shmcb:/var/run/ocsp(128000)
>
> ssl_stapling_file ocsp_response;
>
> # SSLStaplingCache must point to location outside of VirtualHost folder or
> Apache will not start
>
> }
>
> Test before reloading
>
> apachectl -t
>
> service nginx configtest
>
> Restart if OK
>
> service apache2 reload
>
> nginx -s reload
>
>
>
> *For *additional *Apache* configuration options, see
> http://httpd.apache.org/docs/trunk/mod/mod_ssl.html
>
> *For *additional* nginx *configuration options, see
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling and
> http://nginx.com/wp-content/uploads/2014/03/nginx-modules-reference-r3.pdf
> .
>
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140722/999f9922/attachment-0003.html>
More information about the Public
mailing list