OCSP stapling

Tired of seeing wrong OCSP stapling configurations, even those made by me, I’m writing this so I won’t forget how to do it right..and hopefully aid others. This is also an excuse to read more about the subject :)

OCSP stapling is good: you have one less connection to a server that has nothing to do with the intended purpose of the original connection and still get an OCSP response. Sure, you have a few more bytes on every connection but it is harder for the attacker to interrupt the OCSP process without interfering with the target server itself.

For nginx, you need to use a configuration at least with these directives:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/bundle_with_root_stapling.pem;

ssl_stapling on; enables stapling. To be honest, you can make stapling work only with this line.

ssl_stapling_verify on; this forces our server to check if the OCSP response is valid, meaning properly signed by the respective CA.

ssl_trusted_certificate /etc/nginx/certs/bundle_with_root_stapling.pem; path to the chain that validates the responses. If you enabled ssl_stapling_verify you need this directive. It must have all the intermediates CAs, including the root. Just concatenate every CA in the chain, PEM encoded, with the root in the end.

Then just issue sudo service nginx restart and test it. You can test it with echo | openssl s_client -connect mendo.pt:443 -status

You will likely get something like
OCSP response: no response sent

This happens because nginx will not prefetch a valid response until it gets a connection, so the first connection won’t receive an OCSP response. Try again after a few seconds and you will get

OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN = StartCom Class 1 Server OCSP Signer
Produced At: May 8 20:48:21 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 6568874F40750F016A3475625E1F5C93E5A26D58
Issuer Key Hash: EB4234D098B0AB9FF41B6B08F7CC642EEF0E2C45
Serial Number: 05A143427C3754
Cert Status: good
This Update: May 8 20:48:21 2015 GMT
Next Update: May 10 20:48:21 2015 GMT

Signature Algorithm: sha1WithRSAEncryption
98:47:f1:39:4b:ef:f6:67:3d:46:d4:3c:93:fc:ab:95:20:a3:
e8:d0:2b:64:63:d8:46:d7:65:3f:00:5d:50:9c:7d:b7:2c:4c:
36:b1:58:86:9f:4b:95:d4:a4:fa:0f:bb:50:3b:a3:e8:d2:a6:
f3:5f:8c:c3:62:b1:75:90:8a:ab:50:cd:33:6a:cc:6c:ea:04:
a5:65:ff:09:15:41:0c:76:98:7a:79:93:f4:e1:8b:a5:a1:0c:
1e:90:04:25:05:98:91:2c:cc:62:0a:2b:06:a3:28:46:55:90:
f3:0f:09:3c:57:51:98:ed:9c:6f:03:f6:01:9e:d5:61:1b:cf:
f2:7a:0b:f2:9d:e1:52:ba:4a:34:ba:5c:95:7b:40:de:83:96:
55:d0:df:41:e7:14:58:28:9b:6a:67:67:fc:db:59:ab:8a:35:
90:a9:75:8b:9e:8b:46:51:0c:e9:8c:4e:43:60:34:f7:86:06:
09:0b:5f:03:16:b7:ab:15:49:ea:15:c4:f7:c6:d0:ec:22:01:
fd:8a:f1:d0:b9:f5:12:14:b7:13:5b:13:80:a6:60:be:11:bc:
28:c8:86:44:4b:1f:dd:fc:1e:5a:2e:a0:21:52:8d:c7:6c:e5:
72:c0:11:f4:15:16:54:96:14:f7:5f:5a:3f:cf:46:10:60:f5:
46:15:0a:8b

Simple.

EDIT
Because nginx will only resolve the OCSP hostname at startup and its IP can change, you might consider setting the following directive (pick you DNS resolver):

resolver 8.8.8.8;

Leave a comment

Your email address will not be published. Required fields are marked *