This posts explains howto enable OCSP stapling on Apache2 webserver. By adding the signed revocation status of your certificate in the TLS handshake, the browser immediately knows if you certificate is revoked or not. Without this info, the browser would have to make an OCSP request to an OCSP responder to obtain this info.
OCSP stapling is defined in chapter 3.6 of RFC 4366.
Implementing OCSP stapling increases browser speed by decreasing the number of outbound connections. OCSP responses are generally valid for a couple of days, so your webserver will have to refresh the OCSP response before the validity date expires. If you have a firewall that filters outbound traffic from your Apache2 server, please make sure that traffic to the OCSP responder is allowed.
Changing your apache2 vhost definition
In the <VirtualHost *:443> of your ssl website add the following lines.
SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off
In the ssl config file add this line between the <IfModule> tags.
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(512000)
And now restart apache.
# service apache2 restart
Make sure this command doesn’t return any errors. If it does, correct them before proceeding.
Testing OCSP stapling
You can adapt the below command to your own webserver.
openssl s_client -connect www.rivy.org:443 -status -servername www.rivy.org
Look for this:
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response
Alternatively you can also run a SSL Labs scan and look for this output.