Differences

This shows you the differences between two versions of the page.

--- litespeed_wiki:config:ocsp-stapling [2017/09/11 18:41]
Eric Leu [Setup through LSWS native configure for 5.0.x and 4.2.x]
+++ litespeed_wiki:config:ocsp-stapling [2023/02/10 21:01]
Jackson Zhang
@@ Line 1: / Line 1: @@
 ====== OCSP Stapling ======
-Online Certificate Status Protocol (OCSP) was created as an alternative to the Certificate Revocation List (CRL) protocol. Both protocols are used to check whether an SSL Certificate has been revoked. The OCSP protocol does not require the browser to spend time downloading and then searching a list for certificate information. With OCSP, the browser simply posts a query and receives a response from an OCSP responder (a CA’s server that specifically listens for and responds to OCSP requests) about the revocation status of a certificate.
+Online Certificate Status Protocol (OCSP) was created as an alternative to the Certificate Revocation List (CRL) protocol. Both protocols are used to check whether an SSL Certificate has been revoked. The CRL protocol requires the browser to spend time downloading and then searching a list for certificate information. With OCSP, the browser simply posts a query and receives a response from an OCSP responder (a Certificate Authority’s (CA's) server that specifically listens for and responds to OCSP requests) about the revocation status of a certificate.
-OCSP stapling can be used to enhance the OCSP protocol by letting the webhosting site be more proactive in improving the client (browsing) experience. OCSP stapling allows the certificate presenter (i.e. web server) to query the OCSP responder directly and then cache the response. This securely cached response is then delivered with the TLS/SSL handshake via the Certificate Status Request extension response, ensuring that the browser gets the same response performance for the certificate status as it does for the website content.
+OCSP stapling can be used to enhance the OCSP protocol by letting the webhosting site be more proactive in improving the client (browsing) experience. OCSP stapling allows the certificate presenter (i.e. web server) to query the OCSP responder directly and then cache the response. This securely-cached response is then delivered with the TLS/SSL handshake via the Certificate Status Request extension response, ensuring that the browser gets the same response performance for the certificate status as it does for the website content.
-This article explains how to set up OCSP stapling. OCSP stapling speeds up the SSL verification process by attaching a pre-approved certificate to the SSL handshake response. This streamlines the process and removes burdens from the client and SSL certification authorities. For more information on OCSP stapling, see [[http://blog.litespeedtech.com/2013/07/03/the-openlitespeed-features-keep-coming-websocket-proxy-ocsp-stapling|our blog]].
-This article assumes that you already have the necessary certificate files and an OCSP responder. OCSP stapling is only available for LiteSpeed Web Server 4.2.4 and above.
+===== LSWS version support =====
-For 4.2.x and 5.0.x version, it can only be setup from LiteSpeed native configuration and not able to be set up through Apache configuration, such as httpd.conf file. If the virtual host configurations are setup on both Apache conf and LiteSpeed natively,  the native vhost can not override the vhost from Apache, as Apache vhosts are configured after the native vhosts, which may override the LiteSpeed native vhost settings. The corresponding vhost settings in Apache conf have to be removed.
+^ LSWS Version                     ^ Through Apache config         ^ LSWS native configure ^
+| 5.1+               | v         | v        |
+| 4.2.x or 5.0.x     | x         | v        |
+| 4.2-               | x         | x        |
-However, 5.1.x and above have added SSL OCSP Stapling support through Apache httpd.conf.
+===== Requirements =====
+  * Non-self-signed SSL Certificate
+  * Port 443 enabled for https
+  * If using Apache config, HTTPD Server 2.3.3+
 ===== Setup through Apache httpd.conf for 5.1.x and above =====
+Follow the same method as Apache through httpd.conf. See these external references for more information: [[https://www.digicert.com/ssl-support/apache-enable-ocsp-stapling-on-server.htm|digicert.com]] or [[https://support.globalsign.com/customer/portal/articles/1642333-apache---enable-ocsp-stapling| globalsign.com]]
+==== For cPanel ====
+=== OCSP enabled by default on latest WHM/cPanel ===
+The latest cpanel/WHM server has enable OCSP automatically at /etc/apache2/conf/httpd.conf hence you don't need to do any extra work on it.
+    <IfModule socache_shmcb_module>
+        SSLUseStapling On
+        SSLStaplingCache shmcb:/run/apache2/stapling_cache_shmcb(256000)
+        # Prevent browsers from failing if an OCSP server is temporarily broken.
+        SSLStaplingReturnResponderErrors off
+        SSLStaplingErrorCacheTimeout 60
+        SSLStaplingFakeTryLater off
+        SSLStaplingResponderTimeout 3
+        SSLSessionCache shmcb:/run/apache2/ssl_gcache_data_shmcb(1024000)
+    </IfModule>
+=== Earlier version of cPanel/WHM ===
+For an earlier version of cPanel/WHM, you can manually add **SSLStaplingCache ** and **SSLUseStapling on** directives to apache configuration.
+Add the following lines to:
+  - For EA3: ''/usr/local/apache/conf/includes/pre_main_global.conf''
+  - For EA4: ''/etc/apache2/conf.d/includes/pre_main_global.conf''
-Follow the same way as Apache through httpd.conf. Apache supports OCSP stapling in Apache HTTPD Server 2.3.3+. Some external reference such as [[https://www.digicert.com/ssl-support/apache-enable-ocsp-stapling-on-server.htm|this one]] or [[https://support.globalsign.com/customer/portal/articles/1642333-apache---enable-ocsp-stapling| the other]]
+<code>
+<IfModule Litespeed>
+SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
+</IfModule>
+</code>
 Edit your site’s VirtualHost SSL configuration.
-Add the following line INSIDE the <VirtualHost></VirtualHost> block:
+Add the following lines to:
+  - For EA3: ''/usr/local/apache/conf/userdata/lscache_vhosts.conf''
+  - For EA4: ''/etc/apache2/conf.d/userdata/lscache_vhosts.conf''
+(if these directories do not exist, create them).
+<code>
+<IfModule Litespeed>
   SSLUseStapling on
+</IfModule>
-Add the following line OUTSIDE the <VirtualHost></VirtualHost> block:
+</code>
-  SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
-For example:
+Apply these changes to all Virtual Hosts by running the following command:
+  /scripts/ensure_vhost_includes --all-users
-  SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
+==== For Plesk ====
-  <VirtualHost *:443>
+Plesk server has not enabled OCSP by default yet and still [[https://support.plesk.com/hc/en-us/articles/360033765213-How-to-enable-OCSP-Stapling-and-HSTS-for-Plesk-panel-|feature request]] stage at the time of this writing.
-   SSLEngine on
-   SSLProtocol all -SSLv3 -SSLv2
-   SSLCertificateFile /path/to/your_domain_name.crt
-   SSLCertificateKeyFile /path/to/your_private.key
-   SSLCertificateChainFile /path/to/DigiCertCA.crt
-   SSLUseStapling on
-  </VirtualHost>
+As a workaround, create a file named ''lsocsp.conf'' in the following directory depending upon your system:
+  * For CentOS, the ''/etc/httpd/conf.d/'' directory
+  * For Debian, the ''/etc/apache2/conf.d/'' directory
+  * For Ubuntu, Debian 11, the ''/etc/apache2/conf-enabled'' directory
-===== Setup through LSWS native configure for 4.2 or above =====
+This ''lsocsp.conf'' file should contain the following:
+<code>
+  <IfModule Litespeed>
+    SSLStaplingCache shmcb:/var/run/ocsp(128000)
+    SSLUseStapling on
+  </IfModule>
+</code>
+Then restart LSWS.
+===== Setup through LSWS native configuration =====
 ==== Set up a secure listener ====
-Add a listener (WebAdmin console > Configuration > Listeners > Add).
+Add a listener (**WebAdmin console > Configuration > Listeners > Add**).
 {{litespeed_wiki:ocsp_add_listener.png?700}}
-Make sure you click ''Yes'' under the Secure setting. (The other settings should be customized to listen to the correct IP and port for the virtual hosts this listener will be mapping to.)
+Make sure you click ''Yes'' under the **Secure** setting. (The other settings should be customized to listen to the correct IP and port for the virtual hosts this listener will be mapping to.)
 {{litespeed_wiki:ocsp_secure.png?700}}
@@ Line 51: / Line 97: @@
 ==== Set up certificate files ====
-Open up the listener again (View/Edit).
+Open up the listener again (**View/Edit**).
 {{litespeed_wiki:ocsp_added.png?700}}
-Under the SSL tab, enter the paths and locations for your certificates and key files.
+Under the **SSL** tab, enter the paths and locations for your certificates and key files.
 {{litespeed_wiki:ocsp_cert_settings.png?700}}
@@ Line 61: / Line 107: @@
 ==== Set the OCSP values ====
-To set up OCSP stapling, you must set Enable OCSP Stapling to "Yes". It is also better to put the address of your OCSP responder in the OCSP Responder field (though the server may be able to find it in your CA certificate). Check with your certificate authority (CA) for your OCSP responder's address.
+To set up OCSP stapling, you must set **Enable OCSP Stapling** to ''Yes''. It is also better to put the address of your OCSP responder in the **OCSP Responder** field (though the server may be able to find it in your CA certificate). Check with your CA for your OCSP responder's address.
 {{litespeed_wiki:ocsp_settings.png?700}}
-==== Graceful restart to apply changes ====
+==== Graceful restart ====
+Click the **Apply Changes** link to execute a graceful restart and apply your changes.
 ===== Did it work? =====
 ====Method 1:====
-Check in ''$SERVER_ROOT/temp/ocspcache/''. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong.
+Check in ''/dev/shm/lsws/ocspcache/'' for newer version or ''$SERVER_ROOT/tmp/ocspcache/'' for earlier version. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong.
+  /dev/shm/lsws/ocspcache>ls -alt | head; date
+  total 44
+  drwxr-x--- 4 nobody nobody 400 Jul 13 05:16 ..
+  drwx------ 2 nobody nobody 260 Jul 13 00:07 .
+  -rw------- 1 nobody nobody 472 Jul 13 00:07 Reacb027c3975b5e2d620bbb279008dad.rsp
+  -rw------- 1 nobody nobody 472 Jul 12 11:20 R46e10f27f45529e132faf1c78ff62725.rsp
+  -rw------- 1 nobody nobody 471 Jul 10 18:02 Re3a1d7181c38b68e517f80cbf4bd4e4e.rsp
+  -rw------- 1 nobody nobody 471 Jul 10 15:14 R053b55e8211ae3d02580bdd50b5b00b8.rsp
+  -rw------- 1 nobody nobody 471 Jul 10 14:09 Rf06839ee82080282fda44cd5633b3538.rsp
+  -rw------- 1 nobody nobody 471 Jul 10 13:33 Raf1ac6061835bfb1b4df9313b3b8e234.rsp
+  -rw------- 1 nobody nobody 472 Jul  8 14:58 R53fb6a7fcc1d8fd11c10a5b6c4ad15fc.rsp
+  Mon Jul 13 06:12:33 UTC 2020
 ====Method 2:====
-  openssl s_client -connect $Your_Domain:443 -status
+Use the ''openssl'' command:
-If OCSP stapling is working, it will show **ok**\\
+  openssl s_client -connect Your_Domain:443 -status | grep "OCSP Response Status"
-{{:litespeed_wiki:config:ocsp-2.png?600|}} \\
+If OCSP stapling is working, it will show ''ok''. Then check OCSP Response Status: should be ''successful'' in OCSP Response Data section\\
-OCSP Response Status: should be **successful** in OCSP Response Data section
+For example:
+  openssl s_client -connect litespeedtech.com:443 -status | grep "OCSP Response Status"
+  depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
+  verify return:1
+  depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
+  verify return:1
+  depth=0 CN = *.litespeedtech.com
+  verify return:1
+      OCSP Response Status: successful (0x0)
+==== Method 3:====
+  - access https://www.ssllabs.com/ssltest/index.html
+  - then search for "OCSP stapling".
+For example,
+  https://www.ssllabs.com/ssltest/analyze.html?d=litespeedtech.com
+  OCSP stapling   Yes
+===== Cached OCSP response =====
+OCSP response is cached for 1-day. If you change your SSL certificate provider and see a cached OCSP response for a domain, you can safely remove the cache files under OCSP cache folder, but not the folder itself.