Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Users
OCSP multi stapling support (Apache 2.4.37)
arhsagar at gmail
Feb 16, 2023, 5:01 AM
Post #1 of 2 (152 views)
Permalink
Hi,
I had some questions about using OCSP for revocation.
I have a client that connects to apache http server 2.4.37 (RHEL). I have
enabled SSL and OCSP stapling on the server with this configuration ->
Root
-> Intermediate
-> Server Certificate
-> OCSP signer certificate
Both the intermediate and Server certificate contain the OCSP responder URL
in AIA extension. And there is a OCSP responder running on the same.
The client will send the "status_request" extension during handshake. I see
the server is querying the responder for the revocation status of the end
entity certificate and returning that back to client. But the revocation
status for intermediate cert doesn't seem to be queried or put back in
response.
Note: The version negotiated is TLS 1.3
From the documentation about OCSP stapling it seemed RFC 6961 is not
implemented(relevant for TLS 1.2). Please let me know if this understanding
is correct. But in case of TLS 1.3, the response can be added as a
certificate specific extension of TLS Certificate message. It wasn't clear
if I should be expecting the OCSP response even for the intermediate cert
in this situation.

To summarize
Is OCSP multi stapling supported by apache 2.4.37 ?

Any pointers would be helpful. Thanks in advance

Regards
Akshath
Re: OCSP multi stapling support (Apache 2.4.37) [ In reply to ]
zahidr1000 at gmail
Feb 16, 2023, 6:28 AM
Post #2 of 2 (151 views)
Permalink
OCSP stapling is supported on

- Apache HTTP Server (>=2.3.3)
- Nginx (>=1.3.7)

The symbols means greater then equal to 2.3.3
To be honest I never of OSCP stapling so I googled.

How to and concepts can be found

https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx



On Thu, 16 Feb 2023, 13:01 Akshath Hegde, <arhsagar@gmail.com> wrote:

> Hi,
> I had some questions about using OCSP for revocation.
> I have a client that connects to apache http server 2.4.37 (RHEL). I have
> enabled SSL and OCSP stapling on the server with this configuration ->
> Root
> -> Intermediate
> -> Server Certificate
> -> OCSP signer certificate
> Both the intermediate and Server certificate contain the OCSP responder
> URL in AIA extension. And there is a OCSP responder running on the same.
> The client will send the "status_request" extension during handshake. I
> see the server is querying the responder for the revocation status of the
> end entity certificate and returning that back to client. But the
> revocation status for intermediate cert doesn't seem to be queried or put
> back in response.
> Note: The version negotiated is TLS 1.3
> From the documentation about OCSP stapling it seemed RFC 6961 is not
> implemented(relevant for TLS 1.2). Please let me know if this understanding
> is correct. But in case of TLS 1.3, the response can be added as a
> certificate specific extension of TLS Certificate message. It wasn't clear
> if I should be expecting the OCSP response even for the intermediate cert
> in this situation.
>
> To summarize
> Is OCSP multi stapling supported by apache 2.4.37 ?
>
> Any pointers would be helpful. Thanks in advance
>
> Regards
> Akshath
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal