Όνομα χρήστη
Δημιουργία λογαριασμού
OCSP Stapling: how does this technology work?
Web traffic encryption term refers to a process of improvement of data transmission security. However, encryption itself is meaningless, unless additional security measures are implemented, such as checking the status of the SSL certificate. The certificate must not be revoked or expired; otherwise, it will be treated as invalid and will be untrusted.
How to verify that a certificate is valid and trusted? There is only one way to do so – enquire with the certificate supplier, i.e., the certification authority, which stores all the information related to the previously issued certificates.
Web browsers can check the validity of the SSL certificate by using OCSP (Online Certificate Status Protocol). This feature implemented by OCSP Stapling technology. In this case, the web server downloads a copy of the certification authority response, which then forwarded directly to the browser.
The OCSP Stapling approach helps to determine the validity of the SSL certificate quickly and securely. The OCSP Stapling approach for SSL certificate validation consists of the following steps:
Step 1. The web server hosting the SSL-protected website sends the request to the certifying authority. CA sends response containing current status of SSL certificate along with a signed timestamp. Signed timestamp allows ensuring that the web server will not change it in any way.
Step 2. The visitor's browser establishes connection with the server. At this point, the server binds a timestamp received from the CA to the SSL certificate.
Step 3. The browser validates the timestamp and confirms that the certificate signed by the issuer, and therefore, it can be trusted.
Step 4. If the SSL certificate is valid and trusted, then the browser will open requested web page. Otherwise, the user will receive an error message.
This approach allows removing the load out of the certification authority and transferring it to web hosting. As a result, SSL connections are established faster, which helps protect sensitive user information from falling into the wrong hands.
What are the main advantages of OCSP Stapling Technology?
OCSP Stapling mainly used to achieve following advantages:
- Guaranteed security and privacy of user data
- Increased protected content download speed as browsers do not need to make additional requests
- Secured bandwidth on the client side, which would be an advantage for mobile users
- Increased trust and customer satisfaction due to increased delivery speed of protected content
How to enable OCSP Stapling
All modern browsers support OCSP Stapling. To enable OCSP Stapling in Apache and Nginx, please follow below steps:
Enabling OCSP Stapling in Apache
To enable OCSP Stapling in Apache, use the SSLUseStapling directive. If the directive is enabled, mod_ssl will contain an OCSP request for the SSL certificate in the TLS handshake. A requirement for enabling OCSP Stapling is to configure SSLStaplingCache.
Step 1. Edit the VirtualHost of your site. Add the following command to the <VirtualHost> </ VirtualHost> block:
SSLUseStapling on
Step 2. Above or below the <VirtualHost> </ VirtualHost> block, insert the following code:
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Step 3. Perform the configuration check:
Apachectl –t
Step 4. Restart Apache:
service apache2 reload
Enabling OCSP Stapling in Nginx
To enable OCSP Stapling in Nginx, use the ssl_stapling directive.
Step 1. Edit the configuration file for your site. In the server {} block add the following directives:
ssl_stapling on;
ssl_stapling_verify on;
Step 2 (optional). Add the DNS resolver (Google DNS). If you do not specify it, then the DNS of the server will be used.
resolver 8.8.4.4 8.8.8.8;
Step 3. Check the configuration:
nginx –t
Step 4. Restart Nginx:
systemctl restart nginx
If you are looking for a reliable source to order an SSL certificate from a trusted certificate authority, you would always be welcome to visit LeaderSSL store. You will find a wide variety of trustworthy SSL-certificates, for both owners of small sites, and for the large organizations and web shops.
