Enable OCSP stapling on Apache2

This posts explains howto enable OCSP stapling on Apache2 webserver. By adding the signed revocation status of your certificate in the TLS handshake, the browser immediately knows if you certificate is revoked or not. Without this info, the browser would have to make an OCSP request to an OCSP responder to obtain this info.

OCSP stapling is defined in chapter 3.6 of RFC 4366.

Implementing OCSP stapling increases browser speed by decreasing the number of outbound connections. OCSP responses are generally valid for a couple of days, so your webserver will have to refresh the OCSP response before the validity date expires. If you have a firewall that filters outbound traffic from your Apache2 server, please make sure that traffic to the OCSP responder is allowed.

Changing your apache2 vhost definition

In the <VirtualHost *:443> of your ssl website add the following lines.

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

In the ssl config file add this line between the <IfModule> tags.

SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(512000)

And now restart apache.

# service apache2 restart

Make sure this command doesn’t return any errors. If it does, correct them before proceeding.

Testing OCSP stapling

You can adapt the below command to your own webserver.

openssl s_client -connect www.rivy.org:443 -status -servername www.rivy.org

Look for this:

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

Alternatively you can also run a SSL Labs scan and look for this output.

SSL Labs result with OCSP Stapling on Apache2

SSL Labs result with OCSP Stapling on Apache2

Leave a Reply

Your email address will not be published. Required fields are marked *