Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
litespeed_wiki:config:ocsp-stapling [2017/11/29 15:28] Jackson Zhang [Cached OSCP response] |
litespeed_wiki:config:ocsp-stapling [2020/07/14 18:50] Jackson Zhang [For Plesk] |
||
|---|---|---|---|
| Line 22: | Line 22: | ||
| ==== For cPanel ==== | ==== For cPanel ==== | ||
| + | === OCSP enabled by default on latest WHM/cPanel === | ||
| + | The latest cpanel/WHM server has enable OCSP automatically at /etc/apache2/conf/httpd.conf hence you don't need to do any extra work on it. | ||
| + | <IfModule socache_shmcb_module> | ||
| + | SSLUseStapling On | ||
| + | SSLStaplingCache shmcb:/run/apache2/stapling_cache_shmcb(256000) | ||
| + | # Prevent browsers from failing if an OCSP server is temporarily broken. | ||
| + | SSLStaplingReturnResponderErrors off | ||
| + | SSLStaplingErrorCacheTimeout 60 | ||
| + | SSLStaplingFakeTryLater off | ||
| + | SSLStaplingResponderTimeout 3 | ||
| + | SSLSessionCache shmcb:/run/apache2/ssl_gcache_data_shmcb(1024000) | ||
| + | </IfModule> | ||
| + | |||
| + | === Earlier version of cPanel/WHM === | ||
| + | For an earlier version of cPanel/WHM, you can manually add **SSLStaplingCache ** and **SSLUseStapling on** directives to apache configuration. | ||
| + | |||
| Add the following lines to: | Add the following lines to: | ||
| - For EA3: ''/usr/local/apache/conf/includes/pre_main_global.conf'' | - For EA3: ''/usr/local/apache/conf/includes/pre_main_global.conf'' | ||
| Line 48: | Line 64: | ||
| Apply these changes to all Virtual Hosts by running the following command: | Apply these changes to all Virtual Hosts by running the following command: | ||
| /scripts/ensure_vhost_includes --all-users | /scripts/ensure_vhost_includes --all-users | ||
| - | | + | |
| + | ==== For Plesk ==== | ||
| + | Plesk server has not enabled OCSP by default yet and still [[https://support.plesk.com/hc/en-us/articles/360033765213-How-to-enable-OCSP-Stapling-and-HSTS-for-Plesk-panel-|feature request]] stage at the time of this writing. | ||
| + | |||
| + | As a workaround, add the following to /etc/sw-cp-server/conf.d/ssl.conf: | ||
| + | <IfModule Litespeed> | ||
| + | SSLStaplingCache shmcb:/var/run/ocsp(128000) | ||
| + | SSLUseStapling on | ||
| + | </IfModule> | ||
| ===== Setup through LSWS native configuration for 4.2.x or 5.0.x ===== | ===== Setup through LSWS native configuration for 4.2.x or 5.0.x ===== | ||
| Line 83: | Line 107: | ||
| ===== Did it work? ===== | ===== Did it work? ===== | ||
| ====Method 1:==== | ====Method 1:==== | ||
| - | Check in ''$SERVER_ROOT/temp/ocspcache/''. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong. | + | Check in ''/dev/shm/lsws/ocspcache/'' for newer version or ''$SERVER_ROOT/tmp/ocspcache/'' for earlier version. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong. |
| + | |||
| + | /dev/shm/lsws/ocspcache>ls -alt | head; date | ||
| + | total 44 | ||
| + | drwxr-x--- 4 nobody nobody 400 Jul 13 05:16 .. | ||
| + | drwx------ 2 nobody nobody 260 Jul 13 00:07 . | ||
| + | -rw------- 1 nobody nobody 472 Jul 13 00:07 Reacb027c3975b5e2d620bbb279008dad.rsp | ||
| + | -rw------- 1 nobody nobody 472 Jul 12 11:20 R46e10f27f45529e132faf1c78ff62725.rsp | ||
| + | -rw------- 1 nobody nobody 471 Jul 10 18:02 Re3a1d7181c38b68e517f80cbf4bd4e4e.rsp | ||
| + | -rw------- 1 nobody nobody 471 Jul 10 15:14 R053b55e8211ae3d02580bdd50b5b00b8.rsp | ||
| + | -rw------- 1 nobody nobody 471 Jul 10 14:09 Rf06839ee82080282fda44cd5633b3538.rsp | ||
| + | -rw------- 1 nobody nobody 471 Jul 10 13:33 Raf1ac6061835bfb1b4df9313b3b8e234.rsp | ||
| + | -rw------- 1 nobody nobody 472 Jul 8 14:58 R53fb6a7fcc1d8fd11c10a5b6c4ad15fc.rsp | ||
| + | Mon Jul 13 06:12:33 UTC 2020 | ||
| ====Method 2:==== | ====Method 2:==== | ||
| Use the ''openssl'' command: | Use the ''openssl'' command: | ||
| - | openssl s_client -connect $Your_Domain:443 -status | + | openssl s_client -connect Your_Domain:443 -status | grep "OCSP Response Status" |
| If OCSP stapling is working, it will show ''ok''. Then check OCSP Response Status: should be ''successful'' in OCSP Response Data section\\ | If OCSP stapling is working, it will show ''ok''. Then check OCSP Response Status: should be ''successful'' in OCSP Response Data section\\ | ||
| - | {{:litespeed_wiki:config:ocsp-2.png?600|}} \\ | ||
| + | For example: | ||
| + | openssl s_client -connect litespeedtech.com:443 -status | grep "OCSP Response Status" | ||
| + | depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 | ||
| + | verify return:1 | ||
| + | depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 | ||
| + | verify return:1 | ||
| + | depth=0 CN = *.litespeedtech.com | ||
| + | verify return:1 | ||
| + | OCSP Response Status: successful (0x0) | ||
| ==== Method 3:==== | ==== Method 3:==== | ||
| - | - Open browser with URL ''https://cryptoreport.rapidssl.com'' | + | - access https://www.ssllabs.com/ssltest/index.html |
| - | - key in your domain then check **OCSP stapling** status | + | - then search for "OCSP stapling". |
| + | |||
| + | For example, | ||
| + | https://www.ssllabs.com/ssltest/analyze.html?d=litespeedtech.com | ||
| + | OCSP stapling Yes | ||
| ===== Cached OCSP response ===== | ===== Cached OCSP response ===== | ||
| OCSP response is cached for 1-day. If you change your SSL certificate provider and see a cached OCSP response for a domain, you can safely remove the cache files under OCSP cache folder, but not the folder itself. | OCSP response is cached for 1-day. If you change your SSL certificate provider and see a cached OCSP response for a domain, you can safely remove the cache files under OCSP cache folder, but not the folder itself. | ||