Enable OCSP Stapling
The Online Certificate Status Protocol (RFC6066) stapling is a standard for checking the revocation status of certificates. Instead of clients making an OCSP request to the OCSP responder of the Certificate Authority, as was the case in the original OCSP implementation, servers with OCSP stapling enabled can query the OCSP server at regular intervals, obtaining a signed time-stamped OCSP response, which will be passed with the certificate during the TLS/SSL handshake.
The following example configuration shows how to enable the basic OCSP stapling in nevisProxy with the help of an ApacheConfigFilter:
<filter>
<filter-name>OCSP</filter-name>
<filter-class>ch::nevis::navajo::apglue::httpd_2_4_x::servlet::ApacheConfigFilter</filter-class>
<filter-lib>libApache2_4_Servlet.so.1</filter-lib>
<init-param>
<param-name>ServerConfig</param-name>
<param-value>
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
SSLUseStapling on</param-value>
</init-param>
</filter>
For additional directives and further information, see Apache’s guide on OCSP Stapling.
OCSP Caching Proxy
Note that Apache fetches OCSP responses on demand. Currently, no prefetch mechanism is supported. If there is an OCSP server outage when Apache tries to fetch an OCSP response, client requests are paused until there is a response from the OCSP server. The OCSP can also request a timeout, see the SSLStaplingResponderTimeout directive.
This behavior can heavily reduce the usability of nevisProxy. Therefore, it is recommended using a solution like an OCSP caching proxy, such as, for example, ocsp_proxy. A caching proxy can forward the request to the corresponding OCSP responders, or return the OCSP response from cache. You can also use such a proxy to mitigate unreliable OCSP responders or for a server restart.
OCSP stapling using the apache module mod_md
The apache module mod_md offers an alternate OCSP Stapling implementation. This works with managed certificates as well as with certificates you configure yourself.
Find here a simple example on how to enable OCSP stapling with mod_md:
<filter>
<filter-name>LoadModuleFilter</filter-name>
<filter-class>ch:nevis:navajo:apglue:httpd_${HTTPD_LIB_VERSION}_x:servlet:ApacheConfigFilter</filter-class>
<init-param>
<param-name>ServerConfig</param-name>
<param-value>
LoadModule md_module /opt/nevisproxy/lib/libmodmd_ap_${HTTPD_LIB_VERSION}.so.1
MDStapling on
MDStapleOthers on
</param-value>
</init-param>
</filter>
For more information, see Apache documentation. |