Support for OCSP stapling?



  • Sean Leach

    Hey Dan - you are in luck, we already support OCSP stapling. You can test it either at or with the trusty openssl cli tool:

    echo | openssl s_client -connect -tls1 -tlsextdebug -status

    Look for the OCSP Response section:

    OCSP response:
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
    Comment actions Permalink
  • Aaron Peters

    Hi Sean,

    I can't find anything in the Fastly docs about OCSP stapling :

    My key questions

    1. Can OCSP stapling be turned on easily by the customer (turn on once, then forget about it)?

    2. Is OCSP stapling available in all TLS Service Options, e.g. the Shared TLS Certificate Service?

    3. Does Fastly have a mechanism in place to ensure the stapled response in the cert is never expired (= prefetch the OCSP response from the CA and staple in cert, before the response in the cert expires)?


    Comment actions Permalink
  • Noah Smethwick

    Hey Aaron,

    1.  No, OCSP stapling currently isn’t configurable by the customer. It is turned on by default for all of our TLS products, but if you would like to make changes you can reach out to our support team and we can help you make the desired changes.

    2. As I mentioned above, OCSP stapling is enabled by default on all of our TLS Products.

    3. OCSP stapling is done on a best-effort basis. That being said, we do have multiple mechanisms in place to make sure things go smoothly. For instance, we will prefetch responses from our CA and check them to make sure the response is not expired. If we do get an expired response back we will not overwrite the current stapled response with an expired one


    Comment actions Permalink

Please sign in to leave a comment.