• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » Online Certificate Status Protocol (OSCP)

By Abhishek Ghosh December 30, 2014 8:28 am Updated on December 30, 2014

Online Certificate Status Protocol (OSCP)

Advertisement

Online Certificate Status Protocol (OSCP) is a RFC 6960 standard, it is a method to determine the revocation status of a digital certificate. Normally, we need to know about Online Certificate Status Protocol (OSCP) for SSL/TLS certificate installation on any Web Server Software, for example – Nginx. It is alternative means than the use of Certificate Revocation Lists (CRL). The Online Certificate Status Protocol (OSCP) messages are encoded in ASN.1 and usually are transmitted on the HTTP protocol. The nature of OCSP requests and responses makes the OCSP servers are known as OCSP responders. This much theoretical knowledge, described in this article is required, at minimum to work with Online Certificate Status Protocol (OSCP) Stapling.

 

Online Certificate Status Protocol (OSCP) : Basics

 

The features expected of a OCSP server and the format of both the request and the response are defined. Both data structures are represented according to the ASN.1 syntax. An OCSP request is basically composed of the protocol version IDs and certificates need to be validated. This identifier is formed by the serial number, the hash of the Distinguished Name (DN) of the issuer of the certificate and the public key hash of it. In a petition may request to consult the status of various certificates, even from different CA. Signing the petition is optional and depends on what you decide to be OCSP Validation Authority.

An answer can return a signed OCSP response, which would mean that the certificate referred to in the petition is “good”, “revoked” or “unknown”. These responses will be used for each of the certificates that have been requested the query. You can also get an error code, in which case the answer would not be signed. Unfortunately, the draft of the first version of OCSP (OCSP v.1) is ambiguous in the sense of “unknown”. It could mean that the subject contained in the certificate is unknown, or that what is unknown is the revocation status of the certificate. The OCSP request format supports additional extensions. This allows more extensive adaptation and a PKI scheme specific configuration.

Advertisement

---

OCSP-based revocation is not an effective technique to mitigate against the compromise of a HTTPS server’s private key. An attacker who has compromised a server’s private key typically needs to be in a Man-in-the-middle position on the network to abuse that private key and impersonate a server.

 

Online Certificate Status Protocol (OSCP) and OCSP stapling

 

OCSP stapling is same as the TLS Certificate Status Request extension, an alternative approach to the Online Certificate Status Protocol (OCSP) for checking the revocation status of digital certificates. It allows the webmaster of a certificate to bear the resource cost involved in providing OCSP responses, instead of the issuing certificate authority (CA). In a typical stapling scenario on real website, the certificate holder (webmaster) queries the OCSP server at regular intervals (via settings of the web server), obtaining a signed time-stamped OCSP response. When the domain’s visitors attempt to connect to the site, this response is included (this is why said stapled) with the TLS/SSL Handshake via the Certificate Status Request extension response.

It can appear that, allowing the webmaster to control verification responses would allow a fraudulent website to issue a false verification for a revoked certificate, however, the stapled response is signed by the certificate authority, not the certificate holder (website operator or webmaster), so the stapled responses can not be forged without the certificate authority (CA)’s signing key.
As a result, clients continue to have verifiable assurance from the certificate authority that the certificate is presently valid (or was quite recently), but no longer need to individually contact the OCSP server. This means that the need of the resource burden is now placed back on the certificate holder. It also means that the client software no longer needs to disclose users’ browsing habits to any third party, thereby ensuring robust security.

Online Certificate Status Protocol (OSCP)

 

Online Certificate Status Protocol Stapling on Nginx

 

Minimum need is Nginx 1.3.8 on Ubuntu LTS releases (14.04) for OCSP stapling. Running this command from SSH :

Vim
1
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect google.com:443 -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -ocsp_uri; done; IFS=$OLDIFS

shows up two or more URLs, these are the resolver URIs. In our case the response were :

Vim
1
2
http://clients1.google.com/ocsp
http://g.symcd.com

The reverse IP of http://clients1.google.com/ocsp does not work. Second one returns :

Vim
1
23.5.251.27

Other domains hosted on this IP are :

Vim
1
2
3
4
5
6
7
8
9
10
11
12
evsecure-ocsp.verisign.com
evssl-ocsp.geotrust.com
g.symcd.com
gb.symcd.com
gtglobal-ocsp.geotrust.com
gtssl2-ocsp.geotrust.com
gw.symcd.com
ocsp.verisign.com
sb.symcd.com
sd.symcd.com
se.symcd.com
sf.symcd.com

g.symcd.com matches with 23.5.251.27. You must already have A+ grade on SSL Labs Test (excludes too much writing on this article). That means, you have this :

Vim
1
ssl_trusted_certificate /etc/ssl/certs/domain.chain.extension;

on your nginx server. Now you need these lines on SSL server block :

Vim
1
2
3
4
ssl_stapling on;
ssl_stapling_verify on;
resolver IP.IP.IP.IP valid=300s;
resolver_timeout 10s;

IP.IP.IP.IP is what your certificate will resolve at. After setting the resolver (which people usually copy-paste wrongly and never checks the error log), you can test from SSH :

Vim
1
openssl s_client -connect thecustomizewindows.com:443 -tls1 -tlsextdebug -status

Here is nginx docs on resolver :

Vim
1
http://nginx.org/en/docs/http/ngx_http_core_module.html#resolver

Instead of so much big output, we can use cut and grep to pipe the command :

Vim
1
openssl s_client -connect example.org:443 -tls1 -tlsextdebug -status | grep "Verify"

If you get :

Vim
1
Verify return code: 20 (unable to get local issuer certificate)

Then try this :

Vim
1
openssl s_client -connect www.thecustomizewindows.com:443 -CApath /etc/nginx/ssl/www.thecustomizewindows.com

/etc/nginx/ssl/www.thecustomizewindows.com is the path to the certs. www.thecustomizewindows.com is my domain name. It should return the no error code.

So, final stuffs are :

Vim
1
2
3
4
5
6
7
8
9
10
ssl_stapling on;
ssl_stapling_verify on;
resolver IP.IP.IP.IP valid=300s;
resolver_timeout 10s;
ssl_stapling_file file;
# file should be in the DER format
ssl_stapling_responder url;
# like
# ssl_stapling_responder http://g.symcd.com;
ssl_stapling_verify on;

Your resolver of your own server, usually described in /etc/hosts file. Open the file :

Vim
1
nano /etc/hosts

You’ll see, usually 127.0.1.1 is assigned against the domain name. If you run this :

Vim
1
cd /var/log/nginx && ls

Usually, the file :

Vim
1
nano error.log

Will show the errors related to OSCP Stapling. You need to ping the port from SSH :

Vim
1
curl -I 127.0.1.1:443

Tagged With 23 5 251 27 certificate , tls certificate status , sf symcd , oscp protocol , online certificate status protocol superuser , Online Certificate Status Protocol metrics , http://sr symcd com/sr crl iphone6s , g symcd com ocsp response , evsecure-ocsp verisign com , checkpoint symcd

This Article Has Been Shared 490 Times!

Facebook Twitter Pinterest

Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to Online Certificate Status Protocol (OSCP)

  • Install WordPress on Mac OS X With Command Line LAMP Configuration

    Install WordPress on Mac OS X Without installing MAMP or AMPPS from Command Line just like we do for Ubuntu or any kind of Linux. Mac has PHP and virtual hosts.

  • Cloud Computing is Becoming the Norm

    Cloud Computing is expanding more than it was calculated. As calculated,Cloud architectures will overtake in the next 3 years,over traditional IT architectures.

  • Induction Cooker and Induction Heating

    Induction Cooker is a household instrument , where metallic cookware is heated by Induction Heating system, the metal and resistance leads to Joule heating.

  • How to Choose a VPS or Virtual Private Server

    How to Choose a VPS or Virtual Private Server by a starter or someone who wants to shift from free blogs like WordPress, Tumbler or Blogger or want to upgrade.

  • Convincing Clients to Switch to Cloud Computing

    Convincing Clients to Switch to Cloud Computing – Some people have the ability to convince anything they want, client is blessed if it is for the better option.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (24.3K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • Online Dating: How to Find Your Match March 20, 2023
  • Web Design Cookbook: Logo March 19, 2023
  • How Starlink Internet Works March 17, 2023
  • The Importance of a Camera Tracking System in Virtual Production March 15, 2023
  • Understanding the Key Differences between Docker and OpenVZ March 14, 2023

About This Article

Cite this article as: Abhishek Ghosh, "Online Certificate Status Protocol (OSCP)," in The Customize Windows, December 30, 2014, March 20, 2023, https://thecustomizewindows.com/2014/12/online-certificate-status-protocol-oscp/.

Source:The Customize Windows, JiMA.in

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2023 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT