Online Certificate Status Protocol (OCSP) is a mechanism for browsers to check the validity of certificates presented by HTTPS websites. This guards against revoked certificates. This has been an issue for big websites, which had bad certs issued and had to be revoked. Google has stated its intent to begin distrusting Symantec certs in 2018. A counterpoint to Google appears in this interesting article which notes deficiencies in Chrome’s implementation of OCSP, and of privacy issue for the website visitors with OCSP checks.
Let’s look at what Mozilla is doing about this, as they have attempted to implement OCSCP correctly.
Telemetry indicates that fetching OCSP results is an important cause of slowness in the first TLS handshake. Firefox is, today, the only major browser still fetching OCSP by default for DV certificates. In Bug 1361201 we tried reducing the OCSP timeout to 1 second (based on CERT_VALIDATION_HTTP_REQUEST_SUCCEEDED_TIME), but that seems to have caused only a 2% improvement in SSL_TIME_UNTIL_HANDSHAKE_FINISHED. This bug is to disable OCSP fetching for DV certificates. OCSP fetching should remain enabled for EV certificates. OCSP stapling will remain fully functional. We encourage everyone to use OCSP stapling.
So they are moving away from OCSP to OSCP stapling. From wikipedia, “OCSP stapling, formally known as the TLS Certificate Status Request extension, is an alternative approach to the Online Certificate Status Protocol(OCSP) for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing OCSP responses by appending (“stapling”) a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA”
How to setup OCSP stapling with letsencrypt:
The CSR request can request OCSP_MUST_STAPLE option (PARAM_OCSP_MUST_STAPLE=”yes”). The issued cert will have the parameter with OID 220.127.116.11.18.104.22.168.24 and an OCSP URI which are shown with
openssl x509 -in cert.pem -text |grep 1.24
openssl x509 -noout -ocsp_uri -in cert.pem
This changes the cert itself that is issued, so independent of haproxy/nginx configuration that disables OCSP, the browser checks this cert and shows the error. Also this parameter is not shown in the safari/firefox on cert inspection, but shows up on command line as param 22.214.171.124.126.96.36.199.24 being present in the downloaded cert.
- Figure out which of the Let’s Encrypt certificates was used to sign your certificate.
- Download that certificate in PEM format.
- Point nginx to this file as the “trusted certificate”.
- In your nginx.conf file, add these directives to the same block that contains your other
ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate ssl/chain.pem;