Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
litespeed_wiki:config:ocsp-stapling [2017/09/11 20:53]
Eric Leu [Method 2:] 		litespeed_wiki:config:ocsp-stapling [2020/07/14 18:22]
Jackson Zhang [For cPanel]
Line 1: Line 1:
 ====== OCSP Stapling ====== ====== OCSP Stapling ======
-Online Certificate Status Protocol (OCSP) was created as an alternative to the Certificate Revocation List (CRL) protocol. Both protocols are used to check whether an SSL Certificate has been revoked. The OCSP protocol ​does not require ​the browser to spend time downloading and then searching a list for certificate information. With OCSP, the browser simply posts a query and receives a response from an OCSP responder (a CA’s server that specifically listens for and responds to OCSP requests) about the revocation status of a certificate.+Online Certificate Status Protocol (OCSP) was created as an alternative to the Certificate Revocation List (CRL) protocol. Both protocols are used to check whether an SSL Certificate has been revoked. The CRL protocol ​requires ​the browser to spend time downloading and then searching a list for certificate information. With OCSP, the browser simply posts a query and receives a response from an OCSP responder (a Certificate Authority’s (CA'​s) ​server that specifically listens for and responds to OCSP requests) about the revocation status of a certificate.
  
-OCSP stapling can be used to enhance the OCSP protocol by letting the webhosting site be more proactive in improving the client (browsing) experience. OCSP stapling allows the certificate presenter (i.e. web server) to query the OCSP responder directly and then cache the response. This securely cached response is then delivered with the TLS/SSL handshake via the Certificate Status Request extension response, ensuring that the browser gets the same response performance for the certificate status as it does for the website content.+OCSP stapling can be used to enhance the OCSP protocol by letting the webhosting site be more proactive in improving the client (browsing) experience. OCSP stapling allows the certificate presenter (i.e. web server) to query the OCSP responder directly and then cache the response. This securely-cached response is then delivered with the TLS/SSL handshake via the Certificate Status Request extension response, ensuring that the browser gets the same response performance for the certificate status as it does for the website content.
  
  
-===== Requirements ​===== +===== LSWS version support ​===== 
-LSWS version support: \\+
 ^ LSWS Version ​                    ^ Through Apache config ​        ^ LSWS native configure ^ ^ LSWS Version ​                    ^ Through Apache config ​        ^ LSWS native configure ^
 | 5.1+               | v         | v        | | 5.1+               | v         | v        |
Line 12: Line 12:
 | 4.2-               | x         | x        | | 4.2-               | x         | x        |
  
 +===== Requirements =====
  
-  * Need non self-signed SSL Certificate +  * Non-self-signed SSL Certificate 
-  * Need enable port 443 for https +  * Port 443 enabled ​for https 
-  * For **Through ​Apache config** settings, HTTPD Server 2.3.3++  * If using Apache config, HTTPD Server 2.3.3+
  
 ===== Setup through Apache httpd.conf for 5.1.x and above ===== ===== Setup through Apache httpd.conf for 5.1.x and above =====
-Follow the same way as Apache through httpd.conf. ​Some external ​reference such as [[https://​www.digicert.com/​ssl-support/​apache-enable-ocsp-stapling-on-server.htm|Article 1]] or [[https://​support.globalsign.com/​customer/​portal/​articles/​1642333-apache---enable-ocsp-stapling| ​Article 2]]+Follow the same method ​as Apache through httpd.conf. ​See these external ​references for more information: ​[[https://​www.digicert.com/​ssl-support/​apache-enable-ocsp-stapling-on-server.htm|digicert.com]] or [[https://​support.globalsign.com/​customer/​portal/​articles/​1642333-apache---enable-ocsp-stapling| ​globalsign.com]]
  
 ==== For cPanel ==== ==== For cPanel ====
  
 +The latest cpanel/WHM server has enable OCSP automatically at /​etc/​apache2/​conf/​httpd.conf hence you don't need to do any extra work on it.
 +
 +    <​IfModule socache_shmcb_module>​
 +        SSLUseStapling On
 +        SSLStaplingCache shmcb:/​run/​apache2/​stapling_cache_shmcb(256000)
 +        # Prevent browsers from failing if an OCSP server is temporarily broken.
 +        SSLStaplingReturnResponderErrors off
 +        SSLStaplingErrorCacheTimeout 60
 +        SSLStaplingFakeTryLater off
 +        SSLStaplingResponderTimeout 3
 +        SSLSessionCache shmcb:/​run/​apache2/​ssl_gcache_data_shmcb(1024000)
 +    </​IfModule>​
 +
 +For an earlier version of cPanel/WHM, you can manually add **SSLStaplingCache ** and **SSLUseStapling on** directives to apache configuration.
 + 
 Add the following lines to: Add the following lines to:
   - For EA3: ''/​usr/​local/​apache/​conf/​includes/​pre_main_global.conf''​   - For EA3: ''/​usr/​local/​apache/​conf/​includes/​pre_main_global.conf''​
Line 31: Line 47:
 </​IfModule>​ </​IfModule>​
 </​code>​ </​code>​
- 
  
 Edit your site’s VirtualHost SSL configuration. Edit your site’s VirtualHost SSL configuration.
Line 48: Line 63:
 Apply these changes to all Virtual Hosts by running the following command: Apply these changes to all Virtual Hosts by running the following command:
   /​scripts/​ensure_vhost_includes --all-users  ​   /​scripts/​ensure_vhost_includes --all-users  ​
-  ​ 
- 
  
 +==== For Plesk ====
 +Plesk server has not enabled OCSP by default yet and still [[https://​support.plesk.com/​hc/​en-us/​articles/​360033765213-How-to-enable-OCSP-Stapling-and-HSTS-for-Plesk-panel-|feature request]] stage at the time of this writing. ​
  
 +As a workaround, add the following to /​etc/​sw-cp-server/​conf.d/​ssl.conf:​
 +  ​
 +  SSLStaplingCache shmcb:/​var/​run/​ocsp(128000)
 +  SSLUseStapling on
  
-===== Setup through LSWS native ​configure ​for 4.2.x or 5.0.x =====+===== Setup through LSWS native ​configuration ​for 4.2.x or 5.0.x =====
  
 ==== Set up a secure listener ==== ==== Set up a secure listener ====
  
-Add a listener (WebAdmin console > Configuration > Listeners > Add). +Add a listener (**WebAdmin console > Configuration > Listeners > Add**). 
  
 {{litespeed_wiki:​ocsp_add_listener.png?​700}} {{litespeed_wiki:​ocsp_add_listener.png?​700}}
  
-Make sure you click ''​Yes''​ under the Secure setting. (The other settings should be customized to listen to the correct IP and port for the virtual hosts this listener will be mapping to.)+Make sure you click ''​Yes''​ under the **Secure** setting. (The other settings should be customized to listen to the correct IP and port for the virtual hosts this listener will be mapping to.)
  
 {{litespeed_wiki:​ocsp_secure.png?​700}} {{litespeed_wiki:​ocsp_secure.png?​700}}
Line 67: Line 86:
 ==== Set up certificate files ==== ==== Set up certificate files ====
  
-Open up the listener again (View/​Edit). ​+Open up the listener again (**View/Edit**). 
  
 {{litespeed_wiki:​ocsp_added.png?​700}} {{litespeed_wiki:​ocsp_added.png?​700}}
  
-Under the SSL tab, enter the paths and locations for your certificates and key files. ​+Under the **SSL** tab, enter the paths and locations for your certificates and key files. ​
  
 {{litespeed_wiki:​ocsp_cert_settings.png?​700}} {{litespeed_wiki:​ocsp_cert_settings.png?​700}}
Line 77: Line 96:
 ==== Set the OCSP values ==== ==== Set the OCSP values ====
  
-To set up OCSP stapling, you must set Enable OCSP Stapling to "Yes". It is also better to put the address of your OCSP responder in the OCSP Responder field (though the server may be able to find it in your CA certificate). Check with your certificate authority (CAfor your OCSP responder'​s address.+To set up OCSP stapling, you must set **Enable OCSP Stapling** to ''​Yes''​. It is also better to put the address of your OCSP responder in the **OCSP Responder** field (though the server may be able to find it in your CA certificate). Check with your CA for your OCSP responder'​s address.
  
 {{litespeed_wiki:​ocsp_settings.png?​700}} {{litespeed_wiki:​ocsp_settings.png?​700}}
  
-==== Graceful restart ​to apply changes ​====+==== Graceful restart ==== 
 + 
 +Click the **Apply Changes** link to execute a graceful restart and apply your changes.
  
 ===== Did it work? ===== ===== Did it work? =====
 ====Method 1:==== ====Method 1:====
-Check in ''​$SERVER_ROOT/​temp/​ocspcache/''​. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong.+Check in ''​$SERVER_ROOT/​tmp/​ocspcache/''​. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong.
  
 ====Method 2:==== ====Method 2:====
-Use openssl command:  ​+Use the ''​openssl'' ​command:  ​
   openssl s_client -connect $Your_Domain:​443 -status   openssl s_client -connect $Your_Domain:​443 -status
-If OCSP stapling is working, it will show **ok**. Then check OCSP Response Status: should be **successful** in OCSP Response Data section\\  ​+If OCSP stapling is working, it will show ''​ok''​. Then check OCSP Response Status: should be ''​successful'' ​in OCSP Response Data section\\  ​
 {{:​litespeed_wiki:​config:​ocsp-2.png?​600|}} \\ {{:​litespeed_wiki:​config:​ocsp-2.png?​600|}} \\
  
Line 97: Line 118:
   - Open browser with URL ''​https://​cryptoreport.rapidssl.com''​   - Open browser with URL ''​https://​cryptoreport.rapidssl.com''​
   - key in your domain then check **OCSP stapling** status   - key in your domain then check **OCSP stapling** status
 +
 +===== Cached OCSP response =====
 +
 +OCSP response is cached for 1-day. If you change your SSL certificate provider and see a cached OCSP response for a domain, you can safely remove the cache files under OCSP cache folder, but not the folder itself. ​
  • Admin
  • Last modified: 2023/02/11 14:17
  • by Lisa Clarke