ACIM Personal Knowledgebase

User Tools

Site Tools

Trace:
linux:stapling

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
linux:stapling [2016/06/17 10:33]
admin created 		linux:stapling [2016/06/17 11:16] (current)
admin
Line 1: Line 1:
-====== ​How To Configure ​OCSP Stapling on Apache and Nginx ======+====== OCSP Stapling on Apache and Nginx ======
  
  
Line 14: Line 14:
 OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked. It was created as an alternative to CRL to reduce the SSL negotiation time. With CRL (Certificate Revocation List) the browser downloads a list of revoked certificate serial numbers and verifies the current certificate,​ which increases the SSL negotiation time. In OCSP the browser sends a request to a OCSP URL and receives a response containing the validity status of the certificate. The following screenshot shows the OCSP URI of digitalocean.com. OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked. It was created as an alternative to CRL to reduce the SSL negotiation time. With CRL (Certificate Revocation List) the browser downloads a list of revoked certificate serial numbers and verifies the current certificate,​ which increases the SSL negotiation time. In OCSP the browser sends a request to a OCSP URL and receives a response containing the validity status of the certificate. The following screenshot shows the OCSP URI of digitalocean.com.
  
-OCSP URI+{{ :​linux:​apache_ocsp.png?​nolink |}}
  
 ===== About OCSP stapling ===== ===== About OCSP stapling =====
Line 36: Line 36:
 Apache: Apache:
  
 +<code bash>
 apache2 -v apache2 -v
 +</​code>​
 +
 Nginx: Nginx:
  
 +<code bash>
 nginx -v nginx -v
 +</​code>​
 +
 CentOS/​Fedora users replace apache2 with httpd. CentOS/​Fedora users replace apache2 with httpd.
  
-Retrieve the CA bundle+===== Retrieve the CA bundle ​===== 
 + 
 Retrieve the root CA and intermediate CA's certificate in PEM format and save them in a single file. This is for StartSSL'​s Root and Intermediate CA certificates. Retrieve the root CA and intermediate CA's certificate in PEM format and save them in a single file. This is for StartSSL'​s Root and Intermediate CA certificates.
  
 +<code bash>
 cd /etc/ssl cd /etc/ssl
 wget -O - https://​www.startssl.com/​certs/​ca.pem https://​www.startssl.com/​certs/​sub.class1.server.ca.pem | tee -a ca-certs.pem>​ /dev/null wget -O - https://​www.startssl.com/​certs/​ca.pem https://​www.startssl.com/​certs/​sub.class1.server.ca.pem | tee -a ca-certs.pem>​ /dev/null
 +</​code>​
 +
 If your CA provides certificates in DER format convert them to PEM. For example DigiCert provides certificates in DER format. To download them and convert to PEM use the following commands: If your CA provides certificates in DER format convert them to PEM. For example DigiCert provides certificates in DER format. To download them and convert to PEM use the following commands:
  
 +<code bash>
 cd /etc/ssl cd /etc/ssl
 wget -O - https://​www.digicert.com/​CACerts/​DigiCertHighAssuranceEVRootCA.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem>​ /dev/null wget -O - https://​www.digicert.com/​CACerts/​DigiCertHighAssuranceEVRootCA.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem>​ /dev/null
 +
 wget -O - https://​www.digicert.com/​CACerts/​DigiCertHighAssuranceEVCA-1.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem>​ /dev/null wget -O - https://​www.digicert.com/​CACerts/​DigiCertHighAssuranceEVCA-1.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem>​ /dev/null
 +</​code>​
 +
 Both sets of commands use tee to write to the file, so you can use sudo tee if logged in as a non-root user. Both sets of commands use tee to write to the file, so you can use sudo tee if logged in as a non-root user.
  
-Configuring OCSP Stapling on Apache+===== Configuring OCSP Stapling on Apache ​===== 
 Edit the SSL virtual hosts file and place these lines inside the <​VirtualHost></​VirtualHost>​ directive. Edit the SSL virtual hosts file and place these lines inside the <​VirtualHost></​VirtualHost>​ directive.
  
 +<code bash>
 sudo nano /​etc/​apache2/​sites-enabled/​example.com-ssl.conf sudo nano /​etc/​apache2/​sites-enabled/​example.com-ssl.conf
 +</​code>​
 +
 +<code bash>
 SSLCACertificateFile /​etc/​ssl/​ca-certs.pem SSLCACertificateFile /​etc/​ssl/​ca-certs.pem
 SSLUseStapling on SSLUseStapling on
 +</​code>​
 +
 A cache location has to be specified outside <​VirtualHost></​VirtualHost>​. A cache location has to be specified outside <​VirtualHost></​VirtualHost>​.
  
Line 66: Line 88:
 If you followed this article to setup SSL sites on Apache, the virtual host file will look this: If you followed this article to setup SSL sites on Apache, the virtual host file will look this:
  
 +<code bash>
 /​etc/​apache2/​sites-enabled/​example.com-ssl.conf /​etc/​apache2/​sites-enabled/​example.com-ssl.conf
 +</​code>​
  
 +<code bash>
 <​IfModule mod_ssl.c>​ <​IfModule mod_ssl.c>​
     SSLStaplingCache shmcb:/​tmp/​stapling_cache(128000)     SSLStaplingCache shmcb:/​tmp/​stapling_cache(128000)
Line 85: Line 110:
     </​VirtualHost>​     </​VirtualHost>​
 </​IfModule>​ </​IfModule>​
 +</​code>​
 +
 Do a configtest to check for errors. Do a configtest to check for errors.
  
 +<code bash>
 apachectl -t apachectl -t
 +</​code>​
 +
 Reload if Syntax OK is displayed. Reload if Syntax OK is displayed.
  
 +<code bash>
 service apache2 reload service apache2 reload
 +</​code>​
 +
 Access the website on IE (on Vista and above) or Firefox 26+ and check the error log. Access the website on IE (on Vista and above) or Firefox 26+ and check the error log.
  
 +<code bash>
 tail /​var/​log/​apache2/​error.log tail /​var/​log/​apache2/​error.log
 +</​code>​
 +
 If the file defined in the SSLCACertificateFile directive is missing, a certificate an error similar to the following is displayed. If the file defined in the SSLCACertificateFile directive is missing, a certificate an error similar to the following is displayed.
  
 +<code bash>
 [Fri May 09 23:​36:​44.055900 2014] [ssl:error] [pid 1491:tid 139921007208320] AH02217: ssl_stapling_init_cert:​ Can't retrieve issuer certificate! [Fri May 09 23:​36:​44.055900 2014] [ssl:error] [pid 1491:tid 139921007208320] AH02217: ssl_stapling_init_cert:​ Can't retrieve issuer certificate!
 [Fri May 09 23:​36:​44.056018 2014] [ssl:error] [pid 1491:tid 139921007208320] AH02235: Unable to configure server certificate for stapling [Fri May 09 23:​36:​44.056018 2014] [ssl:error] [pid 1491:tid 139921007208320] AH02235: Unable to configure server certificate for stapling
 +</​code>​
 +
 If no such errors are displayed proceed to the final step. If no such errors are displayed proceed to the final step.
  
-Configuring OCSP stapling on Nginx+===== Configuring OCSP stapling on Nginx ===== 
 Edit the SSL virtual hosts file and place the following directives inside the server {} section. Edit the SSL virtual hosts file and place the following directives inside the server {} section.
  
 +<code bash>
 sudo nano /​etc/​nginx/​sites-enabled/​example.com.ssl sudo nano /​etc/​nginx/​sites-enabled/​example.com.ssl
 +</​code>​
 +
 +<code bash>
 ssl_stapling on; ssl_stapling on;
 ssl_stapling_verify on; ssl_stapling_verify on;
 ssl_trusted_certificate /​etc/​ssl/​private/​ca-certs.pem;​ ssl_trusted_certificate /​etc/​ssl/​private/​ca-certs.pem;​
 +</​code>​
 +
 If you followed this article to setup SSL hosts on Nginx the complete virtual host file will look like this: If you followed this article to setup SSL hosts on Nginx the complete virtual host file will look like this:
  
 +<code bash>
 /​etc/​nginx/​sites-enabled/​example.com.ssl /​etc/​nginx/​sites-enabled/​example.com.ssl
 +</​code>​
  
 +<code bash>
 server { server {
  
Line 127: Line 176:
         ssl_trusted_certificate /​etc/​ssl/​private/​ca-certs.pem;​         ssl_trusted_certificate /​etc/​ssl/​private/​ca-certs.pem;​
 } }
 +</​code>​
 +
 Do a configtest to see if everything is correct. Do a configtest to see if everything is correct.
  
 +<code bash>
 service nginx configtest service nginx configtest
 +</​code>​
 +
 Then reload the nginx service. Then reload the nginx service.
  
 +<code bash>
 service nginx reload service nginx reload
 +</​code>​
 +
 Access the website on IE (on Vista and above) or Firefox 26+ and check the error log. Access the website on IE (on Vista and above) or Firefox 26+ and check the error log.
  
 +<code bash>
 tail /​var/​log/​nginx/​error.log tail /​var/​log/​nginx/​error.log
 +</​code>​
 +
 If the file defined in ssl_trusted_certificate is missing a certificate an error similar to the following is displayed: If the file defined in ssl_trusted_certificate is missing a certificate an error similar to the following is displayed:
  
 +<code bash>
 2014/05/09 17:38:16 [error] 1580#0: OCSP_basic_verify() failed (SSL: error:​27069065:​OCSP routines:​OCSP_basic_verify:​certificate verify error:​Verify error:​unable to get local issuer certificate) while requesting certificate status, responder: ocsp.startssl.com 2014/05/09 17:38:16 [error] 1580#0: OCSP_basic_verify() failed (SSL: error:​27069065:​OCSP routines:​OCSP_basic_verify:​certificate verify error:​Verify error:​unable to get local issuer certificate) while requesting certificate status, responder: ocsp.startssl.com
 +</​code>​
 +
 If no such errors are displayed proceed to the next step. If no such errors are displayed proceed to the next step.
  
-Testing OCSP Stapling+===== Testing OCSP Stapling ​===== 
 Two methods will be explained to test if OCSP stapling is working - the openssl command-line tool and SSL test at Qualys. Two methods will be explained to test if OCSP stapling is working - the openssl command-line tool and SSL test at Qualys.
  
-The OpenSSL command+==== The OpenSSL command ​==== 
  
 This command'​s output displays a section which says if your web server responded with OCSP data. We grep this particular section and display it. This command'​s output displays a section which says if your web server responded with OCSP data. We grep this particular section and display it.
  
 +<code bash>
 echo QUIT | openssl s_client -connect www.digitalocean.com:​443 -status 2> /dev/null | grep -A 17 'OCSP response:'​ | grep -B 17 'Next Update'​ echo QUIT | openssl s_client -connect www.digitalocean.com:​443 -status 2> /dev/null | grep -A 17 'OCSP response:'​ | grep -B 17 'Next Update'​
 +</​code>​
 +
 Replace www.digitalocean.com with your domain name. If OCSP stapling is working properly the following output is displayed. Replace www.digitalocean.com with your domain name. If OCSP stapling is working properly the following output is displayed.
  
 +<code bash>
 OCSP response: OCSP response:
 ====================================== ======================================
Line 168: Line 237:
     This Update: May  9 08:45:00 2014 GMT     This Update: May  9 08:45:00 2014 GMT
     Next Update: May 16 09:00:00 2014 GMT     Next Update: May 16 09:00:00 2014 GMT
 +</​code>​
 +
 No output is displayed if OCSP stapling is not working. No output is displayed if OCSP stapling is not working.
  
-Qualys online SSL test+==== Qualys online SSL test ==== 
  
 To check this online go to this website and enter your domain name. Once testing completes check under the Protocol Details section. To check this online go to this website and enter your domain name. Once testing completes check under the Protocol Details section.
  
-Qualys SSL report+{{ :​linux:​apache_ocsp2.png?​nolink |}} 
 + 
 +===== Additional reading =====
  
-Additional reading +  * Mozilla'​s article on OCSP stapling - http://​en.wikipedia.org/​wiki/​OCSP_stapling 
-Mozilla'​s article on OCSP stapling - http://​en.wikipedia.org/​wiki/​OCSP_stapling +  ​* ​Wikipedia article on OCSP stapling - http://​en.wikipedia.org/​wiki/​OCSP_stapling
-Wikipedia article on OCSP stapling - http://​en.wikipedia.org/​wiki/​OCSP_stapling+
linux/stapling.1466152390.txt.gz · Last modified: 2016/06/17 10:33 by admin

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki