• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » OCSP Stapling Nginx : Working Guide to Enable

By Abhishek Ghosh July 18, 2016 8:16 pm Updated on July 18, 2016

OCSP Stapling Nginx : Working Guide to Enable

Advertisement

Previously, we have talked about how to install SSL certificate on Nginx Server, how to install Let’s Encrypt free SSL/TLS certificate in your server. We recommend to read both of them, at least check them. Many Users Complain of Not Working OCSP Stapling in Nginx or Facing Chain Error. Here is Working Step by Step Guide on OCSP Stapling Nginx. We recommend to switch to free Let’s Encrypt or use Free Start SSL unless there is any need to use DV SSL/TLS Certificate. Let’s Encrypt is open and Free Software, chance of exploit, bug is far lesser. It is matured now to use for professional blogs.

 

OCSP Stapling Nginx : Why We Need OCSP Stapling, What it Does, Who Needs it?

 

OCSP stapling is a simple method for quickly and safely determining whether the SSL certificate is valid. It allows the web server to provide information of the validity of its own certificates to the browser rather than allowing request the information over network to the certificate’s vendor. There is no real performance slowdown to own server for implementing OCSP Stapling. OCSP Stapling is purely a performance enhancement in theory. However, in practice, it does indeed improve security. OCSP Stapling gets around both the performance impact and the privacy issue by letting the original web server periodically query the OCSP Responder itself, and then serve clients both its own certificate as well as the proof from the OCSP Responder that the certificate isn’t revoked. Because this removes the performance hit for the client and the privacy issue, browsers are more likely to implement support for OCSP Stapling rather than just OCSP, thus it indirectly helps in security. So the advantages include faster load times for secure content at least theoretically and higher customer satisfaction for multiple domain request becomes obvious – like for online payment.

OCSP stands for Online Certificate Status Protocol. OCSP stapling is newer, which allows the website to bear the resource cost involved in providing time-stamped OCSP response signed by the CA to the initial TLS handshake. The original OCSP implementation increase the cost for the certificate authorities as responses to every client is given certificate in real time. It is also gives the control of ping time to robust security. OCSP response puts less burden on network and client resources than certificate revocation list (CRL). RFC 6960 defines the Standard of Online Certificate Status Protocol, TLS Certificate Status Request extension is specified in RFC 6066,
RFC 6961 defines a Multiple Certificate Status Request extension. Multiple Certificate Status Request extension allows a server to send multiple OCSP responses in the TLS handshake. The currently used version of the proposal is extended to support additional TLS extensions following the repair of the Heart bleed OpenSSL bug. Most browsers do not implement any kind of public CRL because CRL doesn’t scale – OCSP was proposed to replace it.

Advertisement

---

OCSP Stapling should be used by all unless there is any reason not to use.

OCSP-Stapling-Nginx-Guide-to-Enable

 

OCSP Stapling Nginx : Working Step by Step Guide

 

Who have followed steps like we described for SSL/TLS certificate installation on how to install SSL certificate on Nginx Server, should not face much difficulty in understanding steps. We assume that the user have separate X.509 version of SSL/TLS certificates like GeoTrust typically sells when purchased from them, which are just like plain text, can be copy pasted, starts with keywords like -----BEGIN CERTIFICATE-----. Within a sane range actually any extension can be used – .pem, .cer, .cert or just filename without any extension. Do not get scared with .pem extension. Basically these certification authorities were fully closed source before Let’s Encrypt appeared. Their employees used to write the few lines guide in the way they wanted. Unless you are getting error on frontend or SSL Labs test, take them as X.509 version of SSL/TLS certificates. Servers are *nix, they will read rightly regardless of filename extension. If your CA provides certificates in DER format you need to convert them to PEM/X.509 version (there are online tools, SSH command etc.).

GeoTrust QuickSSL Premium will normally supply X.509 version of domain’s certificate and intermediate certificate. The root certificate will be available on the certificate provider’s website. As there can be many types of root certificates of a typical certificate provider for various types of certificates, before downloading the text file root certificate, running a test on SSL Labs online tool will show the Issuer name, like GeoTrust Primary Certification Authority G3 for GeoTrust DV SSL certificates as example. GeoTrust has a list of various root certificates, the user need to select the right one. In the same way, certificates from other CA’s should properly match.

At the end, we have three separate certificates :

  1. Domain / Web Server Certificate
  2. Intermediate Certificate
  3. Root Certificate

In Nginx, we have two parameters in our context of this guide on OCSP Stapling Nginx – ssl_certificate and ssl_trusted_certificate. We have to concatenate the above three certificates in proper sequence and combination to create 2 certificates. Errors with Chain Issues is common when either the method properly not understood or medium sized web hosting  resold them. For OCSP Stapling Nginx, the concatenated files should have the following combination and order  :

ssl_certificate should have :

  1. Web server / domain certificate
  2. Intermediate certificate

ssl_trusted_certificate should have :

  1. Root certificate
  2. Intermediate certificate

Let us give the end name of the certificates – ssl_certificate.crt and ssl_trusted_certificate.crt. How to concatenate the files? Concatenate in the context of OCSP Stapling Nginx is just copy-pasting one after another as plain text files in the mentioned order above. We have kept a fake example of concatenated file on this gist. Obviously, you can create them by simple copy-paste in plain text editors on OS X or GNU/Linux either desktop or server or run cat command to redirect on desired file in this way :

OCSP Stapling Nginx
Vim
1
cat root.pem >> ssl_trusted_certificate.crt

It is basically kind of copy-paste with one line break after the end of content. So, create ssl_certificate.crt and ssl_trusted_certificate.crt by “mixing” with proper things and sequence. We are taking that, you kept the certificates at /etc/nginx/ssl/whatever-named-dir location. You’ll use the following sequence of the directives :

OCSP Stapling Nginx
Vim
1
2
3
4
5
6
7
8
9
10
...
        ssl_certificate /etc/nginx/ssl/whatever-named-dir/ssl_certificate.crt;
        ssl_certificate_key /etc/nginx/ssl/whatever-named-dir/server.key;
        ssl_dhparam /etc/nginx/ssl/whatever-named-dir/dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 10s;
        ssl_trusted_certificate /etc/nginx/ssl/whatever-named-dir/ssl_trusted_certificate.crt;
...

ssl_dhparam is optional in the context of OCSP Stapling Nginx but it is needed for Logjam security threat by NSA. Run configtest with nginx -t for deb GNU/Linux followed by restarting Nginx websever to take effect (service nginx restart is classic command for deb GNU/Linux). Test your website’s server on SSL Lab’s online test. You will see that there is no error in Chain Issues and OCSP Stapling is showing as ON. We can also test our server from SSH screen with this format of command, change your-domain-name.com with real domain name :

Vim
1
echo QUIT | openssl s_client -connect your-domain-name.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

You’ll see the this kind of response when successful, notice the OCSP Response Status: successful (0x0) line :

Vim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: E1FF68EB85774E3804E4E599A5208DA7174FEE61
    Produced At: Jul 18 07:20:53 2016 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: B378EAC54E21B0EAAAA70B5A4C5ACF9AC3195DBD
      Issuer Key Hash: 49ECA7C8A9F7C5BB2CAA24E7F443B3B13CE854F8
      Serial Number: 1804F61AC8E064490B9B5420B7C34B6A
    Cert Status: good
    This Update: Jul 18 07:20:53 2016 GMT
    Next Update: Jul 25 07:20:53 2016 GMT

Tagged With #http://ocsp apple com/ocsp02-ocsp01 , enable ocsp stapling nginx , is it nesserdarry to activate OCSP by nginx , nginx implement CRL , nginx ocsp stapling bug , ocsp , ocsp nginx , ocsp stapling entrust nginx , paperuri:(c9e8f7e08832f3f82b88b48762991b43)

This Article Has Been Shared 782 Times!

Facebook Twitter Pinterest
Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Orthopaedic Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to OCSP Stapling Nginx : Working Guide to Enable

  • SELinux and Security in the Context of Cloud Servers

    SELinux Was Developed By United States National Security Agency (NSA). SELinux and Security in the Context of Cloud Servers Can Be Questionable.

  • Security Concerns of Server Virtualization and Solutions

    Recent discovery of VENOM and related critical bugs in the Xen, KVM, and native QEMU virtual machine platforms again brought the topic Security Concerns of Server Virtualization in to lime light. VENOM was unknown, from Heartbleed, what we have learned is quite clear – frankly there is nothing to do with the unknown, undiscovered bugs […]

  • Logjam by NSA Threatens the Security of HTTPS

    Logjam, which allows man-in-the-middle attacker to downgrade the vulnerable TLS connections, apparently created by NSA Threatens the Security of HTTPS.

  • How to Add DMARC, DKIM, SFP to Avoid Email Spoofing

    Commonly, Transactional Email Services Like Mandrill is used With Google Apps. Here is How to Add DMARC, DKIM, SFP to Avoid Email Spoofing.

  • LTE Technology : Questions and Answers on LTE

    LTE stands for Long Term Evolution and is also known as the fourth generation, which is why the abbreviation is often used 4G mobile technologies.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

You can subscribe to our Free Once a Day, Regular Newsletter by clicking the subscribe button below.

Click To Subscribe

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (20K Followers)
  • Twitter (4.9k Followers)
  • Facebook (5.8k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.2k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • What is Inertial Navigation System? January 25, 2021
  • What is Miniaturization? January 24, 2021
  • What is Domain-Driven Design (DDD)? January 23, 2021
  • Top 10 Anti Hacking Software for Microsoft Windows January 22, 2021
  • What is Software Modernization? January 21, 2021

 

About This Article

Cite this article as: Abhishek Ghosh, "OCSP Stapling Nginx : Working Guide to Enable," in The Customize Windows, July 18, 2016, January 25, 2021, https://thecustomizewindows.com/2016/07/ocsp-stapling-nginx/.

Source:The Customize Windows, JiMA.in

 

This website uses cookies. If you do not want to allow us to use cookies and/or non-personalized Ads, kindly clear browser cookies after closing this webpage.

Read Cookie Policy.

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2021 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy