Online Certificate Status Protocol (OCSP) is one of the two common modes to maintain the security of servers and other network resources. Another older method is that the Certificate Revocation List (CRL) has been replaced by the Online Certificate Status Protocol for many years.
brief introduction
Online Certificate Status Protocol (OCSP) overcomes the main defect of Certificate Revocation List (CRL): it must be downloaded frequently on the client to ensure that the list is updated. When a user attempts to access a server, Online Certificate Status Protocol sends a request for certificate status information. The server replied with a "valid", "expired" or "unknown" response. The protocol specifies the communication syntax of the server and client applications. The online certificate status protocol gives users a grace period for expired certificates, so that they can continue to access the server for a period of time before updating.
In fact, it can speed up website access, especially for OCSP servers that are polluted by DNS (especially the Let's Encrypt certificate server that was polluted before), or OCSP servers in overseas websites.
OCSP Stapling
This attack prompted CA and browser vendors to introduce an extension of the SSL certificate, which is commonly known as OCSP binding in RFC 7633 (although the RFC itself does not mention this name, which may cause some confusion.) This only requires OCSP binding on certificates. If the browser encounters a certificate with this extension that is not bound with OCSP, it will be rejected. OCSP Must Staple can mitigate the above downgrade attack and reduce unnecessary traffic to the OCSP responder of the CA, which can also help improve the overall performance of OCSP.
Enable OCSP stapling in the server
To save you the trouble of searching, the following sections contain instructions on how to enable OCSP stapling in your computer.
Nginx
For servers that enable OCSP staple Nginx in your computer, please add the following text to the server's configuration file.
ssl_stapling on; ssl_stapling_verify on;
Of course, if your website has enabled CDN function, you don't need to set it on the server side. Generally, CDN provides OCSP binding function. Take Tencent Cloud CDN for example:
Log in to the CDN console, select [Domain Name Management] in the menu bar, and click [Management] on the right side of the domain name to enter the domain name configuration page [Https Configuration], where you can see [OCSP Binding Configuration]. By default, it is closed. We can directly click the switch to open or close the OCSP binding configuration, as shown in the figure below:
Note: After deleting the certificate configuration, the OCSP binding configuration will become invalid synchronously:
Not only the major service providers of Tencent Cloud CDN can set it. As long as HTTPS is enabled, it is better to enable the ocsp binding function.
summary
The Web is a complex network of interdependent components that (usually) work together to provide a seamless browsing experience. However, the increasing complexity of the system has led to an expanding attack surface and allowed the design and execution of new network attacks. A large number of components will naturally increase latency and lead to latency, which means that enterprises need to find ways to improve security without affecting the user experience. Enabling OCSP binding will provide you with higher security and improved website performance.
