Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

OCSP Stapling in Hitch

DZone's Guide to

OCSP Stapling in Hitch

What is stapling and how can it improve performance while still keeping users secure?

· Web Dev Zone
Free Resource

Start coding today to experience the powerful engine that drives data application’s development, brought to you in partnership with Qlik.

What Is OCSP Stapling?

OCSP stapling is an alternative route to the usual OCSP (Online Certificate Status Protocol), and it is used to check whether or not an SSL/TLS certificate is valid.

 

OCSP.png

OCSP allows the web server to to determine the status of an SSL/TLS certificate by verifying it with the vendor of the certificate. This improved security comes with some performance penalties: the website loading times are increased since the browser must communicate with both the web server and the vendor.

OCSP stapling addresses some of the issues of the original OCSP implementation, reducing communication times and exchanges between the browser, web server and certificate vendor. The web server can download a copy of the vendor’s response and deliver it to the browser during the TLS handshake. In this way the browser can check the validity of a certificate without querying the certificate authority.

OCSP Stapling Overview

  1. A web server, hosting a SSL/TLS website, queries the certificate vendor. The vendor replies with the status of the certificate and a digitally signed timestamp.
  2. A web browser connects to the server and the server appends (“staples”) the vendor’s timestamp with the certificate during the TLS handshake.
  3. The browser checks the timestamp; if it is signed by the vendor then it can be trusted.
  4. Based on the OCSP response the browser can either open the page or show an error message.

Why All This?

Hitch, which is a libenv-based high performance SSL/TLS proxy from Varnish Software (read more here: https://www.varnish-software.com/community/hitch), has support for OCSP stapling.
To configure Hitch to use OCSP stapling you need to specify the pem-file setting in your configuration file:

pem-file = {
    cert = "mycert.pem"
    ocsp-resp-file = "mycert-ocsp.der"
}

Here are three other interesting points about Hitch and OCSP stapling:

  • Automated retrieval of OCSP responses from an OCSP responder. This can be set up defining the following line in your Hitch configuration file:ocsp-dir = “var/lib/hitch-ocsp”

Or via command line with the option: --ocsp-dir=mydir.

If the loaded certificate has both the OCSP responder address and the issuer certificate as part of its chain, Hitch will automatically and asynchronously fetch and refresh OCSP staples.

  • Verify the OCSP staple; to achieve this, the option ocsp-verify-staple must be enabled in your configuration file:ocsp-verify-staple = on
  • OCSP stapling of responses loaded from disk or file.Run this OpenSSL command:
openssl ocsp \
    -url https://ocsp.example.com \
    -header Host ocsp.example.com \
    -no_nonce \
    -resp_text \
    -issuer issuer.pem \
    -cert mycert.pem \
    -respout ocspresp.der

It will produce a DER-encoded OCSP response, which can be loaded by Hitch. The URL of the OCSP responder can be found via:

openssl x509 -ocsp_uri -in mycert.pem -noout

The complete documentation can be found here: https://hitch-tls.org

Create data driven applications in Qlik’s free and easy to use coding environment, brought to you in partnership with Qlik.

Topics:
varnish ,ssl certificates ,tls

Published at DZone with permission of Arianna Aondio, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}