Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

OCSP stapling and why it matters -- Improve your HTTPS performance

Daniel Nashed – 30 January 2021 08:16:04

In one of my last posts I checked the Domino server HTTPS security rating.

One of the features I configured was the OCSP stapling, which leads to a better rating.


But why is OCSP stapling important and how can you check your server on your own?

There is a great post in the Cloudflare blog explaining in detail why it is important and what they are doing to make their service more reliable for OSCP stapling.


In very short


OCSP in general is used by web-browsers to check the certificate status.

With OCSP stapling the web server already provides a signed OCSP status of the certificate used.


This avoids the browser to query the OCSP responder directly.
Also in case the OCSP provider runs into performance issues or is even not available, your browser can still verify the certificate status.


So this makes your web-server a bit more independent from your CA's OCSP responders.

And also in case of free CA's like Let's Encrypt, we should be nice to them and reduce the load on their servers!


For more details check the following great article:


https://blog.cloudflare.com/high-reliability-ocsp-stapling/


How to enable OCSP Stapling in Domino


My tests have shown that just enabling the setting isn't sufficient SSL_ENABLE_OCSP_STAPLING=1.
I have not been able to get it working without specifying the OCSP responder URL.

You also have to provide the right OCSP responder URL.

The address is part of your certificate and can be found using openssl like the following example shows.


openssl x509 -in pluto.pem -noout -ocsp_uri

http://r3.o.lencr.org

notes.ini


set config SSL_ENABLE_OCSP_STAPLING=1

set config OCSP_RESPONDER=
http://r3.o.lencr.org

After restarting the http task you can query the OCSP stapling status via openssl (see below).

I also added the command to directly query the responder URL. This can be helpful for troubleshooting.

Note:
The notes.ini parameter OCSP_RESPONDER needs to be set to enable the functionality.
But this only defines the default responder, if no responder URL is found in the certificate.
Today most certificates -- like Let's Encrypt contain the OCSP responder information.
Domino reads that information and only uses the default if no information is found

-- Daniel



openssl s_client -connect pluto.csi-domino.com:443 -tlsextdebug -status


OCSP Response Data:

   OCSP Response Status: successful (0x0)

   Response Type: Basic OCSP Response

   Version: 1 (0x0)

   Responder Id: C = US, O = Let's Encrypt, CN = R3

   Produced At: Jan 27 05:26:00 2021 GMT

   Responses:

   Certificate ID:

     Hash Algorithm: sha1

     Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4

     Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6

     Serial Number: 048635D3302F808EBEFDC34DF8244BDAEDD5

   Cert Status: good

   This Update: Jan 27 05:00:00 2021 GMT

   Next Update: Feb  3 05:00:00 2021 GMT


   Signature Algorithm: sha256WithRSAEncryption

        ...



openssl ocsp -issuer ca.pem -cert pluto.pem -text -url
http://r3.o.lencr.org
OCSP Request Data:

   Version: 1 (0x0)

   Requestor List:

       Certificate ID:

         Hash Algorithm: sha1

         Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4

         Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6

         Serial Number: 048635D3302F808EBEFDC34DF8244BDAEDD5

   Request Extensions:

       OCSP Nonce:

           0410093C4B73A38E0046F6FC1195B1E810C7

OCSP Response Data:

   OCSP Response Status: successful (0x0)

   Response Type: Basic OCSP Response

   Version: 1 (0x0)

   Responder Id: C = US, O = Let's Encrypt, CN = R3

   Produced At: Jan 27 05:26:00 2021 GMT

   Responses:

   Certificate ID:

     Hash Algorithm: sha1

     Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4

     Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6

     Serial Number: 048635D3302F808EBEFDC34DF8244BDAEDD5

   Cert Status: good

   This Update: Jan 27 05:00:00 2021 GMT

   Next Update: Feb  3 05:00:00 2021 GMT


   Signature Algorithm: sha256WithRSAEncryption

        ...


WARNING: no nonce in response

Response verify OK

pluto.pem: good

       This Update: Jan 27 05:00:00 2021 GMT

       Next Update: Feb  3 05:00:00 2021 GMT



Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]