CDN OCSP Stapling
HTTPS is ubiquitous these days and plays a crucial role in making the web safer and more private. We encourage our customers to use HTTPS whenever possible (check out our feature "Force SSL"). Now that everyone is using HTTPS, we don't want to scarify any performance for a safer connection. We at KeyCDN are passionate about offering best performance not only for HTTP but also for HTTPS. Our mission is to make the web faster and more secure. In this article we share some insights about OCSP stapling and how it is essential for fast HTTPS.
When a client establishes an HTTPS connection to a server, among other checks the client needs to make sure that the certificate has not been revoked in the meantime. So far there were two methods how the revocation status was checked:
- Certificate Revocation List (CRL): Certificate Authorities (CAs) regularly issue a list of serial numbers of all revoked certificates. This list is signed by the CA and the client will check if the the serial number is present in the list.
- Online Certificate Status Protocol (OCSP): In this case the client will directly query the CA for this specific SSL certificate and check if the certificate has been revoked. The OCSP response is signed by the CA so there is a guarantee that it hasn't been changed along the way. OCSP is defined in IETF RFC 2560 and RFC 5019.
Online Certificate Status Protocol Stapling (OCSP stapling) is an alternative method for checking the validity of certificates. OCSP stapling enhances OCSP by allowing the presenter of a certificate to deliver the OCSP response to the client. The server presenting the certificate will handle the OCSP requests to the certificate authority and will cache the response from the CA. As part of the SSL hand shake, the server will include the confirmation of the CA to the client. Advantages of OCSP stapling:
- Performance: The client does't need to do another request to the CA because the OCSP response is already part of the SSL handshake. This is the main advantage of OSCP Stapling
- Privacy: If the browser needs to contact the CA for every certificate, the CA also knows what domains the client is visiting. Now that KeyCDN is doing the OSCP request, the CA no longer has details about the client.
- Availability: In case of OSCP Stapling, a client still has a guarantee the the certificate is not revoked even if the OCSP service of the CA is down.
KeyCDN fully supports OCSP stapling.
How to check CDN OCSP stapling
There is no action required on your side to make OCSP stapling work. This feature is automatically enabled when you serve content with KeyCDN over SSL. Qualysis SSL Labs shows the status of OCSP stapling in their SSL analysis. Please note that the correct OCSP stapling status will be shown with the 2nd request (after the first request cached the OCSP request).
Alternatively, you can easily check the OSCP Stapling status from your console:
echo QUIT | openssl s_client -connect example-hexid.kxcdn.com:443 -servername example-hexid.kxcdn.com -tls1 -tlsextdebug -status
Support of OCSP stapling today
All common browsers support OCSP stapling today. But what happens if OSCP Stapling is not supported? The browser will fallback to the other available options (such as OCSP and CRL). There is no common practice how it's done.
- Chrome has discontinued the support for CRL and OCSP. Chrome is supporting OCSP stapling and in addition to that it uses its own concept of checking for a revoked certificate.
- OCSP stapling was implemented in Firefox 26
- Opera started supporting OCSP stapling with version 8.0