Robust OCSP Stapling with Apache httpd

There are lots of posts here about OCSP stapling with Apache httpd (cf. Apache - robust OCSP stapling config, OCSP stapling advantages and disadvantages and What if Let's Encrypt goes down? - OCSP Stapling just to name a few), however, all posts are closed now. There also is a blog post describing the problematic stapling implementation of Apache httpd (https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html). Main problems are that OCSP responses are fetched synchrinously and, thus, introduce a delay (especialyl if the OSCP responder goes down or is slow). This is especially a problem if OCSP must staple is used.

TLDR: Today I found a nice small project (much less dependencies compared to https://github.com/greenhost/stapled which is mainly targetting nginx and haproxy) which provides a workaround for these issues.

The project is https://github.com/philfry/ocsp_proxy. It provides a small HTTP proxy which caches (in redis) and also automatically refreshes OCSP responses periodically. This way there is no cold-start problem of Apache httpd when the cache is still empty and also there are OCSP responses cached in case the OCSP server goes down or is a slow responder.

A working configuration is:

<IfModule mod_ssl.c>
SSLUseStapling on
SSLStaplingResponderTimeout 4
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
SSLStaplingErrorCacheTimeout 60

# for ocsp_proxy, https://github.com/philfry/ocsp_proxy/
SSLStaplingStandardCacheTimeout 3600
SSLOCSPProxyURL http://127.0.0.1:8888/
</IfModule>

I hope this is helpful for you.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.