Shulou(Shulou.com)06/01 Report--

1. The concept of OCSP binding

The official name of OCSP (English: OCSP Stapling) is the TLS Certificate status query extension, which can query the status of X.509 certificates instead of the online Certificate status Protocol (OCSP). The server sends a pre-cached TLS response during the OCSP handshake, and the user only needs to verify the validity of the response without sending a request to the digital certificate authority (CA).

two。 motivation

OCSP binding solves most of the problems in online certificate protocols. After CA issues a certificate to the site, each visitor to the site makes an OCSP query. Therefore, when using the online certificate protocol, the highly concurrent requests will put a lot of pressure on the CA server. At the same time, because it is necessary to establish a connection with CA, OCSP query will also affect the speed of the browser to open the page and disclose the user's privacy. In addition, when the OCSP query cannot be answered, the browser must choose whether to continue to connect without confirming the status of the certificate, resulting in a dilemma between security and availability.

3. Develop

Support for OCSP bookbinding is gradually being implemented. OpenSSL, with the assistance of the Mozilla Foundation, released a 0.9.8g version that supports OCSP binding.

Server-side support:

Browser support:

On the SMTP side, Exim supports OCSP binding on both the client side and the server side.

4. Standard

The standard for extending the TLS certificate status query is defined in Chapter 8 of RFC 6066.

RFC 6961 defines a multi-certificate status query extension that allows TLS handshakes to send OCSP responses for multiple certificates.

5. Deployment

OCSP binding support is being implemented step by step. The OpenSSL project is included in its 0.9.8g release from grants to support the Mozilla Foundation.

Apache HTTP server supports OCSP binding from version 2.3.3, nginx, because version 1.3.7 of Web server, Litespeed Web server since version 4.2.4, Microsoft IIS, because in Windows Server 2008, HAProxy starts from version 1.5.0, F5 NetworksBIG-IP from version 11.6.0 and KEMP LoadMasters from version 7.2.37.1.

On the browser side, OCSP binding starts with Firefox26, in Internet Explorer, because of Windows Vista, and Google Chrome in Linux, Chrome operating system and Windows Vista since.

OCSP binding in both client and server modes is supported for SMTP,Exim mail transfer agents.

6. Limitation

OCSP binding can reduce the cost of OCSP authentication, especially for large websites with many users. However, OCSP binding can only send one OCSP response at a time, which is not enough for certificate chains with intermediate certificates. The multi-certificate status query extension proposed in RFC 6961 solves this problem by allowing multiple OCSP responses to be sent at the same time.

7. Meaning

Deploying ocsp binding on the server can greatly reduce the number of links and high concurrency. Save many handshakes to make the website visit faster.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.