Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
litespeed_wiki:config:ocsp-stapling [2017/09/11 18:46] Eric Leu [Setup through Apache httpd.conf for 5.1.x and above] |
litespeed_wiki:config:ocsp-stapling [2023/02/11 14:17] (current) Lisa Clarke Redirect to new Documentation Site |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== OCSP Stapling ====== | ====== OCSP Stapling ====== | ||
| - | Online Certificate Status Protocol (OCSP) was created as an alternative to the Certificate Revocation List (CRL) protocol. Both protocols are used to check whether an SSL Certificate has been revoked. The OCSP protocol does not require the browser to spend time downloading and then searching a list for certificate information. With OCSP, the browser simply posts a query and receives a response from an OCSP responder (a CA’s server that specifically listens for and responds to OCSP requests) about the revocation status of a certificate. | ||
| - | OCSP stapling can be used to enhance the OCSP protocol by letting the webhosting site be more proactive in improving the client (browsing) experience. OCSP stapling allows the certificate presenter (i.e. web server) to query the OCSP responder directly and then cache the response. This securely cached response is then delivered with the TLS/SSL handshake via the Certificate Status Request extension response, ensuring that the browser gets the same response performance for the certificate status as it does for the website content. | + | These instructions have been moved to our new documentation site. |
| - | + | ||
| - | This article explains how to set up OCSP stapling. OCSP stapling speeds up the SSL verification process by attaching a pre-approved certificate to the SSL handshake response. This streamlines the process and removes burdens from the client and SSL certification authorities. For more information on OCSP stapling, see [[http://blog.litespeedtech.com/2013/07/03/the-openlitespeed-features-keep-coming-websocket-proxy-ocsp-stapling|our blog]]. | + | |
| - | + | ||
| - | This article assumes that you already have the necessary certificate files and an OCSP responder. OCSP stapling is only available for LiteSpeed Web Server 4.2.4 and above. | + | |
| - | + | ||
| - | For 4.2.x and 5.0.x version, it can only be setup from LiteSpeed native configuration and not able to be set up through Apache configuration, such as httpd.conf file. If the virtual host configurations are setup on both Apache conf and LiteSpeed natively, the native vhost can not override the vhost from Apache, as Apache vhosts are configured after the native vhosts, which may override the LiteSpeed native vhost settings. The corresponding vhost settings in Apache conf have to be removed. | + | |
| - | + | ||
| - | However, 5.1.x and above have added SSL OCSP Stapling support through Apache httpd.conf. | + | |
| - | + | ||
| - | ===== Setup through Apache httpd.conf for 5.1.x and above ===== | + | |
| - | Follow the same way as Apache through httpd.conf. Apache supports OCSP stapling in Apache HTTPD Server 2.3.3+. Some external reference such as [[https://www.digicert.com/ssl-support/apache-enable-ocsp-stapling-on-server.htm|this one]] or [[https://support.globalsign.com/customer/portal/articles/1642333-apache---enable-ocsp-stapling| the other]] | + | |
| - | + | ||
| - | ==== For cPanel ==== | + | |
| - | + | ||
| - | Add the following lines to the ''/usr/local/apache/conf/includes/pre_main_global.conf'' file for EA3 or the ''/etc/apache2/conf.d/includes/pre_main_global.conf'' file for EA4 | + | |
| - | <code> | + | |
| - | <IfModule Litespeed> | + | |
| - | SSLStaplingCache shmcb:/tmp/stapling_cache(128000) | + | |
| - | </IfModule> | + | |
| - | </code> | + | |
| - | + | ||
| - | + | ||
| - | Edit your site’s VirtualHost SSL configuration. | + | |
| - | + | ||
| - | Create a ''lscache_vhosts.conf'' file in the ''/usr/local/apache/conf/userdata/'' directory for EA3 and the ''/etc/apache2/conf.d/userdata/'' directory for EA4 (if these directories do not exist, create them). Your ''lscache_vhosts.conf'' file should contain the following lines: | + | |
| - | + | ||
| - | <code> | + | |
| - | <IfModule Litespeed> | + | |
| - | CacheRoot lscache | + | |
| - | </IfModule> | + | |
| - | </code> | + | |
| - | SSLUseStapling on | + | |
| - | + | ||
| - | + | ||
| - | For example: | + | |
| - | + | ||
| - | SSLStaplingCache shmcb:/tmp/stapling_cache(128000) | + | |
| - | <VirtualHost *:443> | + | |
| - | SSLEngine on | + | |
| - | SSLProtocol all -SSLv3 -SSLv2 | + | |
| - | SSLCertificateFile /path/to/your_domain_name.crt | + | |
| - | SSLCertificateKeyFile /path/to/your_private.key | + | |
| - | SSLCertificateChainFile /path/to/DigiCertCA.crt | + | |
| - | SSLUseStapling on | + | |
| - | </VirtualHost> | + | |
| - | + | ||
| - | + | ||
| - | ===== Setup through LSWS native configure for 4.2.x or 5.0.x ===== | + | |
| - | + | ||
| - | ==== Set up a secure listener ==== | + | |
| - | + | ||
| - | Add a listener (WebAdmin console > Configuration > Listeners > Add). | + | |
| - | + | ||
| - | {{litespeed_wiki:ocsp_add_listener.png?700}} | + | |
| - | + | ||
| - | Make sure you click ''Yes'' under the Secure setting. (The other settings should be customized to listen to the correct IP and port for the virtual hosts this listener will be mapping to.) | + | |
| - | + | ||
| - | {{litespeed_wiki:ocsp_secure.png?700}} | + | |
| - | + | ||
| - | ==== Set up certificate files ==== | + | |
| - | + | ||
| - | Open up the listener again (View/Edit). | + | |
| - | + | ||
| - | {{litespeed_wiki:ocsp_added.png?700}} | + | |
| - | + | ||
| - | Under the SSL tab, enter the paths and locations for your certificates and key files. | + | |
| - | + | ||
| - | {{litespeed_wiki:ocsp_cert_settings.png?700}} | + | |
| - | + | ||
| - | ==== Set the OCSP values ==== | + | |
| - | + | ||
| - | To set up OCSP stapling, you must set Enable OCSP Stapling to "Yes". It is also better to put the address of your OCSP responder in the OCSP Responder field (though the server may be able to find it in your CA certificate). Check with your certificate authority (CA) for your OCSP responder's address. | + | |
| - | + | ||
| - | {{litespeed_wiki:ocsp_settings.png?700}} | + | |
| - | + | ||
| - | ==== Graceful restart to apply changes ==== | + | |
| - | + | ||
| - | ===== Did it work? ===== | + | |
| - | ====Method 1:==== | + | |
| - | Check in ''$SERVER_ROOT/temp/ocspcache/''. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong. | + | |
| - | + | ||
| - | ====Method 2:==== | + | |
| - | openssl s_client -connect $Your_Domain:443 -status | + | |
| - | If OCSP stapling is working, it will show **ok**\\ | + | |
| - | {{:litespeed_wiki:config:ocsp-2.png?600|}} \\ | + | |
| - | OCSP Response Status: should be **successful** in OCSP Response Data section | + | |
| + | * [[https://docs.litespeedtech.com/lsws/ocsp-stapling/|LiteSpeed Native, or Apache Config]] | ||
| + | * [[https://docs.litespeedtech.com/lsws/cp/cpanel/ocsp-stapling/|cPanel]] | ||
| + | * [[https://docs.litespeedtech.com/lsws/cp/plesk/configuration/#ocsp-stapling|Plesk]] | ||