Shulou(Shulou.com)06/01 Report--

This article mainly introduces Nginx how to enable OCSP Stapling, the article is very detailed, has a certain reference value, interested friends must read it!

Online Certificate status Protocol (Online Certificate Status Protocol), or OCSP for short, is an Internet protocol used to obtain the revocation status of X.509 digital certificates, which is defined in RFC 6960. OCSP is used to verify the validity of a certificate. The query service is generally provided by the CA to which the certificate belongs. The essence of OCSP query is a complete HTTP request plus response process, which includes DNS query, establishment of TCP connection, Web side work and other steps, which will take more time, making the establishment of TLS take more time.

And then OCSP Stapling appeared. Through OCSP Stapling (OCSP Envelope), the Web side will actively obtain the OCSP query results and send them to the client along with the certificate, so that the client can skip the process of seeking verification and improve the efficiency of TLS handshake.

Generate OCSP Stapling file

Generate the required files for OCSP Stapling verification by following these steps

First, three certificates need to be prepared:

Site certificate (website.pem) + root certificate (root.pem) + intermediate certificate (intermediate.pem)

Intermediate certificate and root certificate need to download the corresponding certificate according to the CA of your certificate.

The download addresses of the intermediate certificate and root certificate for Let's Encrypt are listed below:

Root certificate:

DST Root CA X3 https://ssl-tools.net/certificates/dac9024f54d8f6df94935fb1732638ca6ad77c13.pem

ISRG Root X1 https://letsencrypt.org/certs/isrgrootx1.pem

Intermediate Certificate:

Let's Encrypt Authority X1 https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Let's Encrypt Authority X2 https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem

Let's Encrypt Authority X3 https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

Let's Encrypt Authority X4 https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem

Here, take DST Root CA X3 root certificate + Let's Encrypt Authority X3 intermediate certificate as an example (now the certificates issued by Let's Encrypt are basically combined like this):

# download root certificate and intermediate certificate wget-O root.pem https://ssl-tools.net/certificates/dac9024f54d8f6df94935fb1732638ca6ad77c13.pemwget-O intermediate.pem https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem# to generate OCSP Stapling verification file # Note: intermediate certificate is on top and root certificate is on bottom cat cat intermediate.pem > chained.pemcat root.pem > > chained.pem

In this way, the generated chained.pem is the required OCSP Stapling verification file.

OCSP Stapling Response

Openssl x509-in website.pem-noout-ocsp_uri

After using this command, return the OCSP service address corresponding to your certificate

For example, Let's Encrypt's current OCSP service address is http://ocsp.int-x3.letsencrypt.org/

Take Let's Encrypt as an example to obtain the OCSP Response of the site certificate

Openssl ocsp-no_nonce\-issuer intermediate.pem\-CAfile chained.pem\-VAfile chained.pem\-cert website.pem\-url http://ocsp.int-x3.letsencrypt.org\-text

If there are no errors, the following will be returned:

Response verify OK

Website.pem: good

This Update: Oct 24 00:00:41 2017 GMT

Next Update: Oct 31 00:00:41 2017 GMT

Nginx enables OCSP Stapling

Ssl_stapling on;ssl_stapling_verify on;ssl_trusted_certificate ~ / chained.pem;resolver 208.67.222.222 valid=300s;resolver_timeout 5s

Then restart Nginx, and OCSP Stapling is enabled successfully

OCSP Stapling Status

The copy code is as follows:

Openssl s_client-connect sometimesnaive.org:443-status-tlsextdebug

& 1 | grep-I "OCSP response"

If the site has successfully enabled OCSP Stapling, the following will be returned

OCSP response:OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response

If you return to this, it is obviously a failure.

OCSP response: no response sent

You can also visit ssllabs for SSL testing, and you can also see the report of whether OCSP Stapling is enabled or not.

The above is all the content of the article "how to enable OCSP Stapling in Nginx". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.