Support for OCSP stapling?
Just curious – is support for OCSP stapling something that’s currently on the roadmap?
-
Hey Dan - you are in luck, we already support OCSP stapling. You can test it either at https://www.ssllabs.com or with the trusty openssl cli tool:
echo | openssl s_client -connect www.fastly.com:443 -tls1 -tlsextdebug -statusLook for the OCSP Response section:
OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) ... -
Hi Sean,
I can't find anything in the Fastly docs about OCSP stapling :
https://docs.fastly.com/search#stq=ocsp&stp=1My key questions
1. Can OCSP stapling be turned on easily by the customer (turn on once, then forget about it)?
2. Is OCSP stapling available in all TLS Service Options, e.g. the Shared TLS Certificate Service?
3. Does Fastly have a mechanism in place to ensure the stapled response in the cert is never expired (= prefetch the OCSP response from the CA and staple in cert, before the response in the cert expires)?
-
Hey Aaron,
1. No, OCSP stapling currently isn’t configurable by the customer. It is turned on by default for all of our TLS products, but if you would like to make changes you can reach out to our support team and we can help you make the desired changes.
2. As I mentioned above, OCSP stapling is enabled by default on all of our TLS Products.
3. OCSP stapling is done on a best-effort basis. That being said, we do have multiple mechanisms in place to make sure things go smoothly. For instance, we will prefetch responses from our CA and check them to make sure the response is not expired. If we do get an expired response back we will not overwrite the current stapled response with an expired one
Please sign in to leave a comment.
Comments
3 comments