the aspectra blog IT know-how & more, since 2012

OCSP Stapling: Optimising certificate validation

a stapling machine | © Mika Baumeister on Unsplash

Server-side OCSP for certificate validation: less traffic, more privacy and increased efficiency - another step towards future-proof web security.

A valid SSL Certificate signed by a trusted Certificate Authority (CA) is essential for today's websites. Browsers use the Online Certificate Status Protocol (OCSP) to check validity in real time according to the X.509 standard. The continuous improvement of certificate validation is therefore a key aspect of web and network security. One effective method is server-side OCSP (also known as OCSP stapling). It allows the web server to take over the certificate validation from the browser (client) and make the request to the OCSP responder. The server then embeds the OCSP response in the first SSL/TLS handshake and passes it along with the certificate to the client. This has several advantages over client-side validation:

1. Reduced traffic and improved performance:

OCSP stapling significantly reduces traffic between clients and certification authorities. The reduced server load results in improved performance, especially when dealing with large volumes of traffic. Let's Encrypt is a prime example, handling an impressive 100'000 OCSP requests per second.

2. Improved client privacy:

When certificate validation is performed on the server side, Certificate Authorities no longer have any insight into the URLs that clients are requesting. This helps to protect user privacy.

Implementation and impact

Implementing OCSP stapling is relatively straightforward. The web server extracts the OCSP URL from the certificate and periodically checks that the certificate has not been revoked. This information is then passed to the client, which does not perform any further OCSP checks. In the past, aspectra used to perform OCSP stapling requests through the proxy-out by default, but this could cause disruption, especially if a CDN went down. For this reason, it was decided to perform these requests directly and no longer via proxy servers in order to increase stability and reliability.

Outlook and recommendations

The first implementations of OCSP stapling in the aspectra infrastructure have shown that the devil is in the detail. There are more components involved than originally assumed. OCSP stapling has led to lower availability on the WAFs. This reduced availability is largely due to the implementation and behaviour of the Apache HTTP server. From the perspective of a hoster of business-critical applications, availability is the most important factor. For this reason, we have decided to implement OCSP on the WAFs only on customer request.