User Tools
linux:stapling
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
linux:stapling [2016/06/17 10:33] admin created |
linux:stapling [2016/06/17 11:16] (current) admin |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== How To Configure OCSP Stapling on Apache and Nginx ====== | + | ====== OCSP Stapling on Apache and Nginx ====== |
| Line 14: | Line 14: | ||
| OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked. It was created as an alternative to CRL to reduce the SSL negotiation time. With CRL (Certificate Revocation List) the browser downloads a list of revoked certificate serial numbers and verifies the current certificate, which increases the SSL negotiation time. In OCSP the browser sends a request to a OCSP URL and receives a response containing the validity status of the certificate. The following screenshot shows the OCSP URI of digitalocean.com. | OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked. It was created as an alternative to CRL to reduce the SSL negotiation time. With CRL (Certificate Revocation List) the browser downloads a list of revoked certificate serial numbers and verifies the current certificate, which increases the SSL negotiation time. In OCSP the browser sends a request to a OCSP URL and receives a response containing the validity status of the certificate. The following screenshot shows the OCSP URI of digitalocean.com. | ||
| - | OCSP URI | + | {{ :linux:apache_ocsp.png?nolink |}} |
| ===== About OCSP stapling ===== | ===== About OCSP stapling ===== | ||
| Line 36: | Line 36: | ||
| Apache: | Apache: | ||
| + | <code bash> | ||
| apache2 -v | apache2 -v | ||
| + | </code> | ||
| + | |||
| Nginx: | Nginx: | ||
| + | <code bash> | ||
| nginx -v | nginx -v | ||
| + | </code> | ||
| + | |||
| CentOS/Fedora users replace apache2 with httpd. | CentOS/Fedora users replace apache2 with httpd. | ||
| - | Retrieve the CA bundle | + | ===== Retrieve the CA bundle ===== |
| + | |||
| Retrieve the root CA and intermediate CA's certificate in PEM format and save them in a single file. This is for StartSSL's Root and Intermediate CA certificates. | Retrieve the root CA and intermediate CA's certificate in PEM format and save them in a single file. This is for StartSSL's Root and Intermediate CA certificates. | ||
| + | <code bash> | ||
| cd /etc/ssl | cd /etc/ssl | ||
| wget -O - https://www.startssl.com/certs/ca.pem https://www.startssl.com/certs/sub.class1.server.ca.pem | tee -a ca-certs.pem> /dev/null | wget -O - https://www.startssl.com/certs/ca.pem https://www.startssl.com/certs/sub.class1.server.ca.pem | tee -a ca-certs.pem> /dev/null | ||
| + | </code> | ||
| + | |||
| If your CA provides certificates in DER format convert them to PEM. For example DigiCert provides certificates in DER format. To download them and convert to PEM use the following commands: | If your CA provides certificates in DER format convert them to PEM. For example DigiCert provides certificates in DER format. To download them and convert to PEM use the following commands: | ||
| + | <code bash> | ||
| cd /etc/ssl | cd /etc/ssl | ||
| wget -O - https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null | wget -O - https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null | ||
| + | |||
| wget -O - https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null | wget -O - https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null | ||
| + | </code> | ||
| + | |||
| Both sets of commands use tee to write to the file, so you can use sudo tee if logged in as a non-root user. | Both sets of commands use tee to write to the file, so you can use sudo tee if logged in as a non-root user. | ||
| - | Configuring OCSP Stapling on Apache | + | ===== Configuring OCSP Stapling on Apache ===== |
| Edit the SSL virtual hosts file and place these lines inside the <VirtualHost></VirtualHost> directive. | Edit the SSL virtual hosts file and place these lines inside the <VirtualHost></VirtualHost> directive. | ||
| + | <code bash> | ||
| sudo nano /etc/apache2/sites-enabled/example.com-ssl.conf | sudo nano /etc/apache2/sites-enabled/example.com-ssl.conf | ||
| + | </code> | ||
| + | |||
| + | <code bash> | ||
| SSLCACertificateFile /etc/ssl/ca-certs.pem | SSLCACertificateFile /etc/ssl/ca-certs.pem | ||
| SSLUseStapling on | SSLUseStapling on | ||
| + | </code> | ||
| + | |||
| A cache location has to be specified outside <VirtualHost></VirtualHost>. | A cache location has to be specified outside <VirtualHost></VirtualHost>. | ||
| Line 66: | Line 88: | ||
| If you followed this article to setup SSL sites on Apache, the virtual host file will look this: | If you followed this article to setup SSL sites on Apache, the virtual host file will look this: | ||
| + | <code bash> | ||
| /etc/apache2/sites-enabled/example.com-ssl.conf | /etc/apache2/sites-enabled/example.com-ssl.conf | ||
| + | </code> | ||
| + | <code bash> | ||
| <IfModule mod_ssl.c> | <IfModule mod_ssl.c> | ||
| SSLStaplingCache shmcb:/tmp/stapling_cache(128000) | SSLStaplingCache shmcb:/tmp/stapling_cache(128000) | ||
| Line 85: | Line 110: | ||
| </VirtualHost> | </VirtualHost> | ||
| </IfModule> | </IfModule> | ||
| + | </code> | ||
| + | |||
| Do a configtest to check for errors. | Do a configtest to check for errors. | ||
| + | <code bash> | ||
| apachectl -t | apachectl -t | ||
| + | </code> | ||
| + | |||
| Reload if Syntax OK is displayed. | Reload if Syntax OK is displayed. | ||
| + | <code bash> | ||
| service apache2 reload | service apache2 reload | ||
| + | </code> | ||
| + | |||
| Access the website on IE (on Vista and above) or Firefox 26+ and check the error log. | Access the website on IE (on Vista and above) or Firefox 26+ and check the error log. | ||
| + | <code bash> | ||
| tail /var/log/apache2/error.log | tail /var/log/apache2/error.log | ||
| + | </code> | ||
| + | |||
| If the file defined in the SSLCACertificateFile directive is missing, a certificate an error similar to the following is displayed. | If the file defined in the SSLCACertificateFile directive is missing, a certificate an error similar to the following is displayed. | ||
| + | <code bash> | ||
| [Fri May 09 23:36:44.055900 2014] [ssl:error] [pid 1491:tid 139921007208320] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate! | [Fri May 09 23:36:44.055900 2014] [ssl:error] [pid 1491:tid 139921007208320] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate! | ||
| [Fri May 09 23:36:44.056018 2014] [ssl:error] [pid 1491:tid 139921007208320] AH02235: Unable to configure server certificate for stapling | [Fri May 09 23:36:44.056018 2014] [ssl:error] [pid 1491:tid 139921007208320] AH02235: Unable to configure server certificate for stapling | ||
| + | </code> | ||
| + | |||
| If no such errors are displayed proceed to the final step. | If no such errors are displayed proceed to the final step. | ||
| - | Configuring OCSP stapling on Nginx | + | ===== Configuring OCSP stapling on Nginx ===== |
| Edit the SSL virtual hosts file and place the following directives inside the server {} section. | Edit the SSL virtual hosts file and place the following directives inside the server {} section. | ||
| + | <code bash> | ||
| sudo nano /etc/nginx/sites-enabled/example.com.ssl | sudo nano /etc/nginx/sites-enabled/example.com.ssl | ||
| + | </code> | ||
| + | |||
| + | <code bash> | ||
| ssl_stapling on; | ssl_stapling on; | ||
| ssl_stapling_verify on; | ssl_stapling_verify on; | ||
| ssl_trusted_certificate /etc/ssl/private/ca-certs.pem; | ssl_trusted_certificate /etc/ssl/private/ca-certs.pem; | ||
| + | </code> | ||
| + | |||
| If you followed this article to setup SSL hosts on Nginx the complete virtual host file will look like this: | If you followed this article to setup SSL hosts on Nginx the complete virtual host file will look like this: | ||
| + | <code bash> | ||
| /etc/nginx/sites-enabled/example.com.ssl | /etc/nginx/sites-enabled/example.com.ssl | ||
| + | </code> | ||
| + | <code bash> | ||
| server { | server { | ||
| Line 127: | Line 176: | ||
| ssl_trusted_certificate /etc/ssl/private/ca-certs.pem; | ssl_trusted_certificate /etc/ssl/private/ca-certs.pem; | ||
| } | } | ||
| + | </code> | ||
| + | |||
| Do a configtest to see if everything is correct. | Do a configtest to see if everything is correct. | ||
| + | <code bash> | ||
| service nginx configtest | service nginx configtest | ||
| + | </code> | ||
| + | |||
| Then reload the nginx service. | Then reload the nginx service. | ||
| + | <code bash> | ||
| service nginx reload | service nginx reload | ||
| + | </code> | ||
| + | |||
| Access the website on IE (on Vista and above) or Firefox 26+ and check the error log. | Access the website on IE (on Vista and above) or Firefox 26+ and check the error log. | ||
| + | <code bash> | ||
| tail /var/log/nginx/error.log | tail /var/log/nginx/error.log | ||
| + | </code> | ||
| + | |||
| If the file defined in ssl_trusted_certificate is missing a certificate an error similar to the following is displayed: | If the file defined in ssl_trusted_certificate is missing a certificate an error similar to the following is displayed: | ||
| + | <code bash> | ||
| 2014/05/09 17:38:16 [error] 1580#0: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: ocsp.startssl.com | 2014/05/09 17:38:16 [error] 1580#0: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: ocsp.startssl.com | ||
| + | </code> | ||
| + | |||
| If no such errors are displayed proceed to the next step. | If no such errors are displayed proceed to the next step. | ||
| - | Testing OCSP Stapling | + | ===== Testing OCSP Stapling ===== |
| Two methods will be explained to test if OCSP stapling is working - the openssl command-line tool and SSL test at Qualys. | Two methods will be explained to test if OCSP stapling is working - the openssl command-line tool and SSL test at Qualys. | ||
| - | The OpenSSL command | + | ==== The OpenSSL command ==== |
| This command's output displays a section which says if your web server responded with OCSP data. We grep this particular section and display it. | This command's output displays a section which says if your web server responded with OCSP data. We grep this particular section and display it. | ||
| + | <code bash> | ||
| echo QUIT | openssl s_client -connect www.digitalocean.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update' | echo QUIT | openssl s_client -connect www.digitalocean.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update' | ||
| + | </code> | ||
| + | |||
| Replace www.digitalocean.com with your domain name. If OCSP stapling is working properly the following output is displayed. | Replace www.digitalocean.com with your domain name. If OCSP stapling is working properly the following output is displayed. | ||
| + | <code bash> | ||
| OCSP response: | OCSP response: | ||
| ====================================== | ====================================== | ||
| Line 168: | Line 237: | ||
| This Update: May 9 08:45:00 2014 GMT | This Update: May 9 08:45:00 2014 GMT | ||
| Next Update: May 16 09:00:00 2014 GMT | Next Update: May 16 09:00:00 2014 GMT | ||
| + | </code> | ||
| + | |||
| No output is displayed if OCSP stapling is not working. | No output is displayed if OCSP stapling is not working. | ||
| - | Qualys online SSL test | + | ==== Qualys online SSL test ==== |
| To check this online go to this website and enter your domain name. Once testing completes check under the Protocol Details section. | To check this online go to this website and enter your domain name. Once testing completes check under the Protocol Details section. | ||
| - | Qualys SSL report | + | {{ :linux:apache_ocsp2.png?nolink |}} |
| + | |||
| + | ===== Additional reading ===== | ||
| - | Additional reading | + | * Mozilla's article on OCSP stapling - http://en.wikipedia.org/wiki/OCSP_stapling |
| - | Mozilla's article on OCSP stapling - http://en.wikipedia.org/wiki/OCSP_stapling | + | * Wikipedia article on OCSP stapling - http://en.wikipedia.org/wiki/OCSP_stapling |
| - | Wikipedia article on OCSP stapling - http://en.wikipedia.org/wiki/OCSP_stapling | + | |
linux/stapling.1466152390.txt.gz · Last modified: 2016/06/17 10:33 by admin
Page Tools
