Current time: 08-19-2019, 09:20 AM Hello There, Guest! (LoginRegister)

Post Reply 
 
Thread Rating:
  • 2 Vote(s) - 3 Average
  • 1
  • 2
  • 3
  • 4
  • 5
OCSP stapling only partial ?
07-19-2019, 06:12 PM (This post was last modified: 07-19-2019 06:16 PM by billyboylindien.)
Post: #1
Question OCSP stapling only partial ?
Hi,
I'm really new with ocsp stapling.

I activated it on our website.
Before:
https://www.webpagetest.org/result/19071...bd8402743/
After:
https://www.webpagetest.org/result/19071...68b7bd1e2/

Before we had 2 ocsp calls but it still remain one call to http://ocsp.usertrust.com

Is it normal ?
Maybe my apache configuration is not ok ?
Code:
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
        SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
        SSLUseStapling on

Code:
# echo QUIT | openssl s_client -servername www.sutunam.com -connect www.sutunam.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 2C69FF80C98790AE34E1B4E74C93859940E9A7B2
    Produced At: Jul 18 07:05:04 2019 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: BCDE91268256135DFC85EFC392F9189345669D92
      Issuer Key Hash: 2C69FF80C98790AE34E1B4E74C93859940E9A7B2
      Serial Number: BFDA66FABBB25F667729D64937F5D7C1
    Cert Status: good
    This Update: Jul 18 07:05:04 2019 GMT
    Next Update: Jul 22 07:05:04 2019 GMT

I was thinking once activated there will be no more ocsp call Smile
Find all posts by this user
Quote this message in a reply
07-20-2019, 08:42 PM
Post: #2
RE: OCSP stapling only partial ?
The certificate change is leaf (sutunam.com) > intermediary (sectigo) > root (User Trust)

In this case it looks like the intermediary cert from sectigo that's not being stapled, which is pretty common for digicert (which is who sectigo are) EV certificates

If you examine the cert chain in Chrome or Safari, you'll see the OCSP end point for the intermediary certificate matches the request you're seeing

Andy

Using WebPageTest - http://usingwpt.com/
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)