In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-09 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
This article mainly introduces Nginx how to enable OCSP Stapling, the article is very detailed, has a certain reference value, interested friends must read it!
Online Certificate status Protocol (Online Certificate Status Protocol), or OCSP for short, is an Internet protocol used to obtain the revocation status of X.509 digital certificates, which is defined in RFC 6960. OCSP is used to verify the validity of a certificate. The query service is generally provided by the CA to which the certificate belongs. The essence of OCSP query is a complete HTTP request plus response process, which includes DNS query, establishment of TCP connection, Web side work and other steps, which will take more time, making the establishment of TLS take more time.
And then OCSP Stapling appeared. Through OCSP Stapling (OCSP Envelope), the Web side will actively obtain the OCSP query results and send them to the client along with the certificate, so that the client can skip the process of seeking verification and improve the efficiency of TLS handshake.
Generate OCSP Stapling file
Generate the required files for OCSP Stapling verification by following these steps
First, three certificates need to be prepared:
Site certificate (website.pem) + root certificate (root.pem) + intermediate certificate (intermediate.pem)
Intermediate certificate and root certificate need to download the corresponding certificate according to the CA of your certificate.
The download addresses of the intermediate certificate and root certificate for Let's Encrypt are listed below:
Root certificate:
DST Root CA X3 https://ssl-tools.net/certificates/dac9024f54d8f6df94935fb1732638ca6ad77c13.pem
ISRG Root X1 https://letsencrypt.org/certs/isrgrootx1.pem
Intermediate Certificate:
Let's Encrypt Authority X1 https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
Let's Encrypt Authority X2 https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem
Let's Encrypt Authority X3 https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
Let's Encrypt Authority X4 https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem
Here, take DST Root CA X3 root certificate + Let's Encrypt Authority X3 intermediate certificate as an example (now the certificates issued by Let's Encrypt are basically combined like this):
# download root certificate and intermediate certificate wget-O root.pem https://ssl-tools.net/certificates/dac9024f54d8f6df94935fb1732638ca6ad77c13.pemwget-O intermediate.pem https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem# to generate OCSP Stapling verification file # Note: intermediate certificate is on top and root certificate is on bottom cat cat intermediate.pem > chained.pemcat root.pem > > chained.pem
In this way, the generated chained.pem is the required OCSP Stapling verification file.
OCSP Stapling Response
Openssl x509-in website.pem-noout-ocsp_uri
After using this command, return the OCSP service address corresponding to your certificate
For example, Let's Encrypt's current OCSP service address is http://ocsp.int-x3.letsencrypt.org/
Take Let's Encrypt as an example to obtain the OCSP Response of the site certificate
Openssl ocsp-no_nonce\-issuer intermediate.pem\-CAfile chained.pem\-VAfile chained.pem\-cert website.pem\-url http://ocsp.int-x3.letsencrypt.org\-text
If there are no errors, the following will be returned:
Response verify OK
Website.pem: good
This Update: Oct 24 00:00:41 2017 GMT
Next Update: Oct 31 00:00:41 2017 GMT
Nginx enables OCSP Stapling
Ssl_stapling on;ssl_stapling_verify on;ssl_trusted_certificate ~ / chained.pem;resolver 208.67.222.222 valid=300s;resolver_timeout 5s
Then restart Nginx, and OCSP Stapling is enabled successfully
OCSP Stapling Status
The copy code is as follows:
Openssl s_client-connect sometimesnaive.org:443-status-tlsextdebug
< /dev/null 2>& 1 | grep-I "OCSP response"
If the site has successfully enabled OCSP Stapling, the following will be returned
OCSP response:OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response
If you return to this, it is obviously a failure.
OCSP response: no response sent
You can also visit ssllabs for SSL testing, and you can also see the report of whether OCSP Stapling is enabled or not.
The above is all the content of the article "how to enable OCSP Stapling in Nginx". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.