Shulou(Shulou.com)06/01 Report--

OCSP (Online Certificate Status Protocol), Chinese translation is an online certificate status protocol, which is one of the two common modes to maintain the security of servers and other network resources. An older approach is that certificate revocation lists (CRL) have been replaced by online certificate status protocols for many years. OCSP overcomes the main drawback of certificate cancellation lists (CRL): they must be downloaded frequently on the client side to ensure that the list is updated.

CRL protocol, the idea of this protocol is that the client requests a list of revoked certificates from CA periodically as a local cache, so that the verification of server certificates can rely on this cache. But this solution requires the client to manage a local cache, which is tantamount to leaving all the responsibility to the client. The bandwidth and stability of the server where the client accesses the CA is questionable, so this solution is destined to be lost to the server solution.

OCSP is an extension of the TLS protocol. In the use of TLS, the client cannot judge whether a certificate that has not expired has been revoked. Because CA in most cases after issuing a certificate is waiting for the certificate to expire naturally, and if CA for some reason to artificially revoke a certificate, there is no way. At this time, after the client gets a certificate from the server, it goes to the server interface to verify whether the certificate has expired.

When a user tries to access a server, OCSP (online Certificate status Protocol) sends a request for certificate status information. The server replies with a "valid", "expired" or "unknown" response. The protocol specifies the communication syntax between the server and client applications. The online certificate status protocol gives users a grace period for expired certificates so that they can continue to access the server for a period of time prior to the update.

However, because the client has a variety of situations in the network, each connection to verify the foreign server will bring completely uncontrollable user experience and access delay, and it is also a large concurrent connection for CA. So OCSP is generally applied to the server, saving this part of the time for the client. The server periodically connects to CA's OCSP server to verify the validity of a certificate, which is stored locally. When the client and the server shake hands with TLS, the server will continue to transmit another certificate status message after transmitting the certificate chain (certificate message). This status message is the certificate revocation status information obtained by the server from CA's OCSP server. Both sides still use cryptography to ensure that the client can confirm that the confirmation message comes from CA.

Compared with traditional CRL, OCSP has the following characteristics:

Because an ocsp response contains less information than traditional CRL, ocsp can make more efficient use of network and customer resources.

With OCSP, customers do not need to parse the CRL certificate revocation list themselves, but customers need to store status information, which is very complex because the client side needs to maintain the storage cache. In practical use, the impact of this is very small, because the relevant interfaces provided by the third library have helped us to complete this kind of work.

OCSP exposes its services through private networks, private certificates, and at specific times. OCSP does not enforce encryption, so it may bring the risk of information disclosure.

The process of calling OCSP is as follows:

1. Establish a database connection between OCSP server and CA database

two。 The application uses the OCSP client interface to query the status of the specified certificate

3. OCSP client API encapsulates OCSP request

4. Establish HTTP connection between OCSP client interface and OCSP server

5. OCSP client interface sends OCSP request to OCSP server through HTTP connection

6. OCSP server parses OCSP request

7. The OCSP server directly queries the CA database to obtain the latest certificate status

8. The OCSP server encapsulates and issues OCSP responses

9. The OCSP server returns a response through a HTTP connection

10. The OCSP client interface closes the HTTP connection

11. OCSP client interface parses OCSP response

12.The OCSP client interface returns the certificate status to the application.

So is OCSP now ready for full application? No, in fact, Chrome sets up its own server to maintain a set of CRL lists, so Chrome browsers don't have to go to CA to see if the certificate has expired. But CRL is an obsolete technology, and the new technology is OCSP. In essence, OCSP solves the same problem as Google's own CRL server, which is a problem of asynchronously checking the validity of certificates on the server side. Because the check of the validity of this certificate has a very high delay. The speed of testing from NetEase's server to Let's Encrty is still controllable, but the delay to AsiaInfo's server will reach more than ten seconds. If the client of the user is allowed to do it every time, the client will not be able to use this level of delay.

So, it's essentially the same thing whether the business server does it or the browser builds its own server to do it. From a market point of view, Google's CRL server model is likely to be maintained in the end, because it is impossible to require all servers to provide OCSP capabilities, but the client will always need the results of this verification.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.