What is OCSP Stapling?
In order to know what OCSP Stapling is, you must first know about OCSP. OCSP
or Online Certificate Status Protocol
is an internet protocol that checks the validity status of a certificate in real-time. It is an alternative to CRL
or Certificate Revocation List
s. It is described in RFC 2560 - http://datatracker.ietf.org/doc/rfc2560/
OCSP is a real-time check of the status of a certificate and is fundamental in the design of Extended Validation SSL certificates.
When a user makes an https:// connection with your web server, their browser normally performs an OCSP check with the CA that issued the SSL certificate to confirm that the certificate has not been revoked. In some cases, this may create a momentary delay in the SSL handshake.
OCSP Stapling improves performance by positioning a digitally-signed and time-stamped version of the OCSP response directly on the webserver. This stapled OCSP response is then refreshed at predefined intervals set by the CA. The stapled OCSP response allows the web server to include the OCSP response within the initial SSL handshake, without the need for the user to make a separate external connection to the CA.
OCSP Stapling is outlined in RFC 6066 - http://datatracker.ietf.org/doc/rfc6066/Note:
When enabling and/or configuring OCSP Stapling on
your servers, keep in mind that the OCSP
request from your server to the CA must be allowed access through your firewall.
- OCSP Stapling improves the connection speed of the SSL handshake by combining two requests into one. This cuts down on the amount of time it takes to load an encrypted webpage.
- OCSP Stapling helps maintain the privacy of the end user as no connection is made to the CRL for the OCSP request. Rather than see which websites a user has visited, the CA will only see OCSP requests from the web site and not its users.
- There are scenarios where a computer has to connect to a portal or hotspot access the internet, but it cannot verify the OCSP check (as access to the iInternet hasn't been granted yet). In these cases, OCSP Stapling helps, as the OCSP status is provided from the hotspot or portal.
- Support for OCSP Stapling is not yet supported by all browsers. If either the browser or the web server do not support or have OCSP Stapling enabled, then it simply is not used and validity status lookup will automatically revert to OCSP checking directly with the CA.
- Version 8.0 and aboveFirefox
- Enabled by default in version 3.0 and aboveInternet Explorer
- Enabled by default in version 7.0 and aboveSafari
- Enabled by default in Mac OS X 10.7 and aboveGoogle Chrome
- Enabled by defaultWindows Server 2008
- Kerberos client will request OCSP stapling when using PKINIT by defaultNSS (Network Security Services)
- Included in version 3.15 and aboveOpenSSL
- Included in version 0.9.8h and aboveInformation can be found at the end of each certificate installation knowledge base article if OCSP Stapling is supported.