Tag Archives: ssl/tls

Enable OCSP stapling on Apache2

Leave a reply

This posts explains howto enable OCSP stapling on Apache2 webserver. By adding the signed revocation status of your certificate in the TLS handshake, the browser immediately knows if you certificate is revoked or not. Without this info, the browser would have to make an OCSP request to an OCSP responder to obtain this info.

OCSP stapling is defined in chapter 3.6 of RFC 4366.

Implementing OCSP stapling increases browser speed by decreasing the number of outbound connections. OCSP responses are generally valid for a couple of days, so your webserver will have to refresh the OCSP response before the validity date expires. If you have a firewall that filters outbound traffic from your Apache2 server, please make sure that traffic to the OCSP responder is allowed.

Changing your apache2 vhost definition

In the <VirtualHost *:443> of your ssl website add the following lines.

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

In the ssl config file add this line between the <IfModule> tags.

SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(512000)

And now restart apache.

# service apache2 restart

Make sure this command doesn’t return any errors. If it does, correct them before proceeding.

Testing OCSP stapling

You can adapt the below command to your own webserver.

openssl s_client -connect www.rivy.org:443 -status -servername www.rivy.org

Look for this:

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

Alternatively you can also run a SSL Labs scan and look for this output.

SSL Labs result with OCSP Stapling on Apache2

SSL Labs result with OCSP Stapling on Apache2

Enable HSTS in Apache2 SSL vhost

Leave a reply

This tutorial explains how to enable HTTP Strict Transport Security (HSTS) in a Apache2 SSL vhost. HSTS is a method to instruct browsers that they always have to contact a certain website over https. It’s described in RFC 6797.

Enable HSTS header

As explained in the previous post, I was able to increase my SSL Labs rating from C to A by carefully instructing Apache2 which ciphers to use. We can increase the rating from A to A+ by adding the following configuration to the <VirtualHost> section of the vhost config.

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

Please note that this header will force browsers to use the https version for all your subdomains as well. Feel free to remove the last word if that’s not what you want.

SSL Labs result

This is the new result of a SSL Labs scan.

SSL Labs result with HSTS in Apache2 SSL vhost

SSL Labs result with HSTS