Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

    OCSP stapling and why it matters -- Improve your HTTPS performance

    Daniel Nashed  30 January 2021 09:16:04

    In one of my last posts I checked the Domino server HTTPS security rating.

    One of the features I configured was the OCSP stapling, which leads to a better rating.


    But why is OCSP stapling important and how can you check your server on your own?

    There is a great post in the Cloudflare blog explaining in detail why it is important and what they are doing to make their service more reliable for OSCP stapling.


    In very short


    OCSP in general is used by web-browsers to check the certificate status.

    With OCSP stapling the web server already provides a signed OCSP status of the certificate used.


    This avoids the browser to query the OCSP responder directly.
    Also in case the OCSP provider runs into performance issues or is even not available, your browser can still verify the certificate status.


    So this makes your web-server a bit more independent from your CA's OCSP responders.

    And also in case of free CA's like Let's Encrypt, we should be nice to them and reduce the load on their servers!


    For more details check the following great article:


    https://blog.cloudflare.com/high-reliability-ocsp-stapling/


    How to enable OCSP Stapling in Domino


    My tests have shown that just enabling the setting isn't sufficient SSL_ENABLE_OCSP_STAPLING=1.
    I have not been able to get it working without specifying the OCSP responder URL.

    You also have to provide the right OCSP responder URL.

    The address is part of your certificate and can be found using openssl like the following example shows.


    openssl x509 -in pluto.pem -noout -ocsp_uri

    http://r3.o.lencr.org

    notes.ini


    set config SSL_ENABLE_OCSP_STAPLING=1

    set config OCSP_RESPONDER=
    http://r3.o.lencr.org

    After restarting the http task you can query the OCSP stapling status via openssl (see below).

    I also added the command to directly query the responder URL. This can be helpful for troubleshooting.

    Note:
    The notes.ini parameter OCSP_RESPONDER needs to be set to enable the functionality.
    But this only defines the default responder, if no responder URL is found in the certificate.
    Today most certificates -- like Let's Encrypt contain the OCSP responder information.
    Domino reads that information and only uses the default if no information is found

    -- Daniel



    openssl s_client -connect pluto.csi-domino.com:443 -tlsextdebug -status


    OCSP Response Data:

       OCSP Response Status: successful (0x0)

       Response Type: Basic OCSP Response

       Version: 1 (0x0)

       Responder Id: C = US, O = Let's Encrypt, CN = R3

       Produced At: Jan 27 05:26:00 2021 GMT

       Responses:

       Certificate ID:

         Hash Algorithm: sha1

         Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4

         Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6

         Serial Number: 048635D3302F808EBEFDC34DF8244BDAEDD5

       Cert Status: good

       This Update: Jan 27 05:00:00 2021 GMT

       Next Update: Feb  3 05:00:00 2021 GMT


       Signature Algorithm: sha256WithRSAEncryption

            ...



    openssl ocsp -issuer ca.pem -cert pluto.pem -text -url
    http://r3.o.lencr.org
    OCSP Request Data:

       Version: 1 (0x0)

       Requestor List:

           Certificate ID:

             Hash Algorithm: sha1

             Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4

             Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6

             Serial Number: 048635D3302F808EBEFDC34DF8244BDAEDD5

       Request Extensions:

           OCSP Nonce:

               0410093C4B73A38E0046F6FC1195B1E810C7

    OCSP Response Data:

       OCSP Response Status: successful (0x0)

       Response Type: Basic OCSP Response

       Version: 1 (0x0)

       Responder Id: C = US, O = Let's Encrypt, CN = R3

       Produced At: Jan 27 05:26:00 2021 GMT

       Responses:

       Certificate ID:

         Hash Algorithm: sha1

         Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4

         Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6

         Serial Number: 048635D3302F808EBEFDC34DF8244BDAEDD5

       Cert Status: good

       This Update: Jan 27 05:00:00 2021 GMT

       Next Update: Feb  3 05:00:00 2021 GMT


       Signature Algorithm: sha256WithRSAEncryption

            ...


    WARNING: no nonce in response

    Response verify OK

    pluto.pem: good

           This Update: Jan 27 05:00:00 2021 GMT

           Next Update: Feb  3 05:00:00 2021 GMT



    Comments

    1Daniel Reichelt  08.02.2021 7:45:03  OCSP stapling and why it matters -- Improve your HTTPS performance

    And what‘s, if you are using internet sites and more than one certificate with different OCSP responder URLs?

    2David Vosswinkel  09.02.2021 9:36:43  OCSP stapling and why it matters -- Improve your HTTPS performance

    I added

    SSL_ENABLE_OCSP_STAPLING=1

    OCSP_RESPONDER={ Link }

    to notes.ini of DOmino and restarted.

    I am using Domino 12 Beta, Windows and lets encrypt.

    Now according to ssllabs:

    Revocation status Validation error

    OCSP ERROR: Exception: connect timed out [{ Link }

    Any idea?

    Links

      Archives


      • [IBM Lotus Domino]
      • [Domino on Linux]
      • [Nash!Com]
      • [Daniel Nashed]