OCSP Stapling on Apache

May 4, 2014 00:00 · 132 words · 1 minute read security link

Excerpt from Remy van Elsts tutorial: OCSP stapling is an enhancement to the standard OCSP protocol that delivers OCSP responses from the server with the certificate, eliminating the need for relying parties (web users) to check OCSP responses with the issuing CA. This has the effect of reducing bandwidth, improving perceived site performance, and increasing security for everyone involved in establishing the secure session. This tutorial shows you how to set it up with Apache.


Create OCSP stapling configuration for Apache.

cat <<EOF > /etc/apache2/conf-available/sslstapeling.conf
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLStaplingResponseMaxAge 900

Enable configuration, test it and do a restart of Apache if all is OK.

a2enconf sslstapeling
apache2ctl configtest
apache2ctl restart

Check OCSP with OpenSSL.

openssl s_client -connect «yoursite»:443 -tls1 -tlsextdebug -status