User Tools
linux:stapling
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
linux:stapling [2016/06/17 11:07] admin |
linux:stapling [2016/06/17 11:16] (current) admin |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== How To Configure OCSP Stapling on Apache and Nginx ====== | + | ====== OCSP Stapling on Apache and Nginx ====== |
| Line 14: | Line 14: | ||
| OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked. It was created as an alternative to CRL to reduce the SSL negotiation time. With CRL (Certificate Revocation List) the browser downloads a list of revoked certificate serial numbers and verifies the current certificate, which increases the SSL negotiation time. In OCSP the browser sends a request to a OCSP URL and receives a response containing the validity status of the certificate. The following screenshot shows the OCSP URI of digitalocean.com. | OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked. It was created as an alternative to CRL to reduce the SSL negotiation time. With CRL (Certificate Revocation List) the browser downloads a list of revoked certificate serial numbers and verifies the current certificate, which increases the SSL negotiation time. In OCSP the browser sends a request to a OCSP URL and receives a response containing the validity status of the certificate. The following screenshot shows the OCSP URI of digitalocean.com. | ||
| - | OCSP URI | + | {{ :linux:apache_ocsp.png?nolink |}} |
| ===== About OCSP stapling ===== | ===== About OCSP stapling ===== | ||
| Line 192: | Line 192: | ||
| Access the website on IE (on Vista and above) or Firefox 26+ and check the error log. | Access the website on IE (on Vista and above) or Firefox 26+ and check the error log. | ||
| + | <code bash> | ||
| tail /var/log/nginx/error.log | tail /var/log/nginx/error.log | ||
| + | </code> | ||
| + | |||
| If the file defined in ssl_trusted_certificate is missing a certificate an error similar to the following is displayed: | If the file defined in ssl_trusted_certificate is missing a certificate an error similar to the following is displayed: | ||
| + | <code bash> | ||
| 2014/05/09 17:38:16 [error] 1580#0: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: ocsp.startssl.com | 2014/05/09 17:38:16 [error] 1580#0: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: ocsp.startssl.com | ||
| + | </code> | ||
| + | |||
| If no such errors are displayed proceed to the next step. | If no such errors are displayed proceed to the next step. | ||
| - | Testing OCSP Stapling | + | ===== Testing OCSP Stapling ===== |
| Two methods will be explained to test if OCSP stapling is working - the openssl command-line tool and SSL test at Qualys. | Two methods will be explained to test if OCSP stapling is working - the openssl command-line tool and SSL test at Qualys. | ||
| - | The OpenSSL command | + | ==== The OpenSSL command ==== |
| This command's output displays a section which says if your web server responded with OCSP data. We grep this particular section and display it. | This command's output displays a section which says if your web server responded with OCSP data. We grep this particular section and display it. | ||
| + | <code bash> | ||
| echo QUIT | openssl s_client -connect www.digitalocean.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update' | echo QUIT | openssl s_client -connect www.digitalocean.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update' | ||
| + | </code> | ||
| + | |||
| Replace www.digitalocean.com with your domain name. If OCSP stapling is working properly the following output is displayed. | Replace www.digitalocean.com with your domain name. If OCSP stapling is working properly the following output is displayed. | ||
| + | <code bash> | ||
| OCSP response: | OCSP response: | ||
| ====================================== | ====================================== | ||
| Line 225: | Line 237: | ||
| This Update: May 9 08:45:00 2014 GMT | This Update: May 9 08:45:00 2014 GMT | ||
| Next Update: May 16 09:00:00 2014 GMT | Next Update: May 16 09:00:00 2014 GMT | ||
| + | </code> | ||
| + | |||
| No output is displayed if OCSP stapling is not working. | No output is displayed if OCSP stapling is not working. | ||
| - | Qualys online SSL test | + | ==== Qualys online SSL test ==== |
| To check this online go to this website and enter your domain name. Once testing completes check under the Protocol Details section. | To check this online go to this website and enter your domain name. Once testing completes check under the Protocol Details section. | ||
| - | Qualys SSL report | + | {{ :linux:apache_ocsp2.png?nolink |}} |
| + | |||
| + | ===== Additional reading ===== | ||
| - | Additional reading | + | * Mozilla's article on OCSP stapling - http://en.wikipedia.org/wiki/OCSP_stapling |
| - | Mozilla's article on OCSP stapling - http://en.wikipedia.org/wiki/OCSP_stapling | + | * Wikipedia article on OCSP stapling - http://en.wikipedia.org/wiki/OCSP_stapling |
| - | Wikipedia article on OCSP stapling - http://en.wikipedia.org/wiki/OCSP_stapling | + | |
linux/stapling.1466154441.txt.gz · Last modified: 2016/06/17 11:07 by admin
Page Tools
