What is OCSP Stapling?

Question

What is OCSP Stapling?

Answer

In order to know what OCSP Stapling is, you must first know about OCSP.  OCSP or Online Certificate Status Protocol is an internet protocol that checks the validity status of a certificate in real-time.  It is an alternative to CRL or Certificate Revocation Lists.  It is described in RFC 2560 - http://datatracker.ietf.org/doc/rfc2560/

OCSP is a real-time check of the status of a certificate and is fundamental in the design of Extended Validation SSL certificates.

When a user makes an https:// connection with your web server, their browser normally performs an OCSP check with the CA that issued the SSL certificate to confirm that the certificate has not been revoked.  In some cases, this may create a momentary delay in the SSL handshake.

OCSP Stapling improves performance by positioning a digitally-signed and time-stamped version of the OCSP response directly on the webserver.  This stapled OCSP response is then refreshed at predefined intervals set by the CA.  The stapled OCSP response allows the web server to include the OCSP response within the initial SSL handshake, without the need for the user to make a separate external connection to the CA.

OCSP Stapling is outlined in RFC 6066 - http://datatracker.ietf.org/doc/rfc6066/

Note: When enabling and/or configuring OCSP Stapling on your servers, keep in mind that the OCSP request from your server to the CA must be allowed access through your firewall.

Advantages

  • OCSP Stapling improves the connection speed of the SSL handshake by combining two requests into one.  This cuts down on the amount of time it takes to load an encrypted webpage.
  • OCSP Stapling helps maintain the privacy of the end user as no connection is made to the CRL for the OCSP request.  Rather than see which websites a user has visited, the CA will only see OCSP requests from the web site and not its users.
  • There are scenarios where a computer has to connect to a portal or hotspot access the internet, but it cannot verify the OCSP check (as access to the iInternet hasn't been granted yet).  In these cases, OCSP Stapling helps, as the OCSP status is provided from the hotspot or portal.

Disadvantages

  • Support for OCSP Stapling is not yet supported by all browsers. If either the browser or the web server do not support or have OCSP Stapling enabled, then it simply is not used and validity status lookup will automatically revert to OCSP checking directly with the CA.

Browser/Client Support

Opera - Version 8.0 and above
Firefox - Enabled by default in version 3.0 and above
Internet Explorer - Enabled by default in version 7.0 and above
Safari - Enabled by default in Mac OS X 10.7 and above
Google Chrome - Enabled by default
Windows Server 2008 - Kerberos client will request OCSP stapling when using PKINIT by default
NSS (Network Security Services) - Included in version 3.15 and above
OpenSSL - Included in version 0.9.8h and above

Information can be found at the end of each certificate installation knowledge base article if OCSP Stapling is supported.

Add Feedback