Previously we talked about OCSP, OCSP Stapling and OCSP Stapling on Nginx. Now, we will configure OCSP Stapling In Apache 2.4 It is important to avoid some settings of OCSP Stapling on a production website as it can give errors like OCSP Response Expired or just in case of Nginx 502. Here is how to configure OCSP Stapling on Apache 2.4+ with full configuration. These are among TLS optimisazion. In our case, the server operating system in example is Ubuntu.
How To Configure OCSP Stapling On Apache 2.4+
The file in the current context we will tweak is the default SSL configuration file for the active website, which can be :
Advertisement---
1 | /etc/apache2/sites-available/default-ssl.conf |
or
1 | /etc/apache2/sites-available/000-default-le-ssl.conf |
or of course it can be your custom named file. The reference of this guide on Apache’s site is :
1 2 | https://wiki.apache.org/httpd/OCSPStapling https://httpd.apache.org/docs/2.4/mod/mod_ssl.html |
Our that default SSL virtual host file looks like :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | <IfModule mod_ssl.c> <VirtualHost *:443> ServerName thecustomizewindows.com ProtocolsHonorOrder On Protocols http/1.1 h2 ServerAdmin admin@thecustomizewindows.com DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /path/to/ssl/cert.crt SSLCertificateKeyFile /path/to/ssl/private.key SSLCertificateChainFile /path/to/ssl/intermediate.crt SSLOpenSSLConfCmd DHParameters "/path/to/dhparams_4096.pem" ... ... SSLOpenSSLConfCmd ECDHParameters secp384r1 SSLOpenSSLConfCmd Curves secp521r1:secp384r1 ... |
Then add two lines above the SSLCryptoDevice not really related to it but there is reason to keep it :
1 2 3 4 5 6 7 8 9 | <IfModule mod_ssl.c> SSLCryptoDevice dynamic SSLStaplingCache shmcb:/etc/apache2/stapling_cache(128000) <VirtualHost *:443> ServerName thecustomizewindows.com ProtocolsHonorOrder On Protocols http/1.1 h2 ... ... |
We will only add these four directions :
1 2 3 4 | SSLOCSPEnable on SSLUseStapling on SSLOCSPResponseMaxAge 900 SSLOCSPResponseTimeSkew 300 |
immediately after the SSL cert location (for convenience), so that full configuration looks like :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | IfModule mod_ssl.c> SSLCryptoDevice dynamic SSLStaplingCache shmcb:/etc/apache2/stapling_cache(128000) <VirtualHost *:443> ServerName thecustomizewindows.com ProtocolsHonorOrder On Protocols http/1.1 h2 ServerAdmin admin@thecustomizewindows.com DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /path/to/ssl/cert.crt SSLCertificateKeyFile /path/to/ssl/private.key SSLCertificateChainFile /path/to/ssl/intermediate.crt SSLOpenSSLConfCmd DHParameters "/path/to/dhparams_4096.pem" SSLOCSPEnable on SSLUseStapling on SSLOCSPResponseMaxAge 900 SSLOCSPResponseTimeSkew 300 |
Then create a directory and give it proper permission for Apache :
1 2 3 | mkdir /etc/apache2/stapling_cache chown www-data /etc/apache2/stapling_cache chmod 755 /etc/apache2/stapling_cache |
I am quite sure that you will asking about creation of the directory and giving permission. It is bypassing a bug in one pre-compiled version.
Now run configtest :
1 | apachectl -t |
Then restart the Apache :
1 | sudo systemctl restart apache2.service |
Of course test on SSL Labs :
1 | https://www.ssllabs.com/ssltest/analyze.html |
Next, you should read ahead our next guide to optimise OSCP Stapling and prevent error.
