Online Certificate Status Protocol

/ #Ubuntu  #HTTPS  

OCSP stapling

Das Online Certificate Status Protocol (OCSP) ist ein Netzwerkprotokoll, welches es Clients ermöglicht, den Status von X.509-Zertifikaten bei einem Validierungsdienst abzufragen.

Der Webserver übernimmt die Zertifikasvalidierung, indem er eine von der Zertifizierungsstelle signierte OCSP-Antwort mit Zeitstempel an den ursprünglichen TLS-Handshake anhängt („stapling“).

Apache

OCSP Stapling >= Apache 2.3.3

root:~# apache2 -v
Server version: Apache/2.4.18 (Ubuntu)
Server built:   2016-07-14T12:32:26
root:~#

<IfModule mod_ssl.c>
 # OCSP Stapling
  SSLStaplingCache shmcb: /var/run/ocsp(128000)
 # OCSP Stapling
 <VirtualHost *:443>
 ServerName test1.example.com
  SSLEngine on
 # OCSP Stapling
  SSLUseStapling on
  SSLStaplingResponderTimeout 5
  SSLStaplingReturnResponderErrors off
 # OCSP Stapling
  SSLCertificateFile /etc/letsencrypt/live/test1.example.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/test1.example.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/test1.example.com/chain.pem
 </VirtualHost>
</IfModule>

Konfiguration prüfen

root:~# apachectl -t
Syntax OK
root:~#

Konfiguration neuladen

root:~# service apache2 reload
root:~#



NGiNX

OCSP Stapling >= NGiNX 1.3.7

root:~# nginx -v
nginx version: nginx/1.10.2
root:~#

OCSP Stapling muss immer im default Server aktiviert werden.

server {
listen 443 default  ssl;
server_name  example.com;
ssl on;
# OCSP-stapling aktivieren
ssl_stapling on;
#letsencrypt
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}

weitere Server mit Zertifikat von Let’s Encrypt

server {
listen 443 ssl;
server_name  test1.example.com test2.example.com;
ssl on;
# OCSP-stapling aktivieren
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/test1.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test1.example.com/privkey.pem;
}

weitere Server mit Zertifikat von GeoTrust

server {
listen 443 ssl;
server_name  test3.example.com;
ssl on;
# OCSP-stapling aktivieren
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/nginx/ssl/test3.example.com_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/test3.example.com.key;
# full certificate chain (test3.example.com, Intermediate und Root)
ssl_trusted_certificate /etc/nginx/ssl/full_chain.pem;
}

Konfiguration prüfen

root:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root:~#

Konfiguration neuladen

root:~# service nginx reload
root:~#


OCSP Stapling prüfen mit OpenSSL (SNI: Server Name Indication)

root:~# echo QUIT | openssl s_client -servername test1.example.com -connect test1.example.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
root:~#
root:~# echo QUIT | openssl s_client -servername test1.example.com -connect test1.example.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Nov 16 20:21:00 2016 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 03C8A61591A0B8A32E2A97137E2A302CF6CE
    Cert Status: good
    This Update: Nov 16 20:00:00 2016 GMT
    Next Update: Nov 23 20:00:00 2016 GMT
root:~#