Configuring OCSP Stapling

OCSP is a protocol for checking the validity of certificates, that is, to make sure that they have not been revoked and whether they were actually issued. Enabling OCSP Stapling on the web server side allows you to increase the speed of site opening, since the request to the certification authority is made not by the browser, but by the web server.

To enable OCSP Stapling in Nginx, you must specify the following directives in the server {} block (the last line can be omitted):

ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.4.4;

Let’s check the configuration and restart Nginx:

nginx -t
systemctl restart nginx

To enable OCSP Stapling in Apache2, you need to add the required site to the VirtualHost block:

SSLUseStapling on

And also under the VirtualHost block, specify:

SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

Let’s check the configuration and apply it:

apachectl -t
service apache2 reload

If cPanel is used, then OCSP Stapling can be enabled in the WHM – Apache Include Editor menu or manually in the /usr/local/apache/conf/include/pre_virtualhost_global.conf configuration, but in this case, after updating cPanel, the changes will be reset.

OCSP Stapling is enabled by default starting in Windows Server 2008.

I will give an example of checking from Linux:

openssl s_client -connect ixnfo.com:443 -tls1 -status -tlsextdebug

echo QUIT | openssl s_client -connect ixnfo.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

You can also check on third-party resources, for example here https://www.ssllabs.com/ssltest

Leave a comment

Leave a Reply