OCSP Stapling

OCSP stands for Online Certificate Status Protocol, its an process where by the server checks against the CA (Certificate Authority) to ensure the certificate is valid. If the certificate is in the CRL (Certificate Revocation List), this is a list of certificates which has been revoked and subsequently it means the certificates are no longer valid.

For OCSP to work, it has to check with the CA, this causes 2 problems:

1) Heavy websites will make many request to the CA and causes a traffic congestion.

2) The CA has the ability to log all request made where by it checks the certificate information and would compromise privacy as the users are making SSL connections to check certificate information.

To resolve this issue OCSP Stapling would look to cache the request made from the CA to the client, where by the information would be stored server side. Through this method, you would make less request against the CA and the CA wouldn’t be able to log this information.

The request would take the following scenario:

1st client: SSL Handshake >> OCSP doesn't exist >> Check with CA >> Return with OCSP and store it >> Return SSL handshake response

2nd client: SSL Handshake >> OCSP exist >> Return SSL handshake response

3rd client: SSL Handshake >> OCSP exist but expired >> Check with CA >> Return with OCSP and store it >> Return SSL handshake response

OCSP no status

SSL Handshake >> OCSP doesn't exist >> Check with CA >> Return with no OCSP status >> Abort connection

OCSP Error

By default the OCSP should work normally as intended, however due to a small misfortune I have identified a scenario where by the OCSP may return an false positive error message.

Under Firefox 37.0.1 there can be instances where by only Firefox returns the error of:

The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert)

However under other OS, browsers and Networks the website works like normal but only under Firefox in all environments would return this error. The issue is in relation to the server time being offset to the real time.

Server time: 09:54:55 up 131 days,  5:48,  2 users,  load average: 0.06, 0.04, 0.05

The server time had a 8 minute variance to the real time, we tried to reset the time on the server to sync it with NTP, but it didn’t work. Ultimately we had to choice we just rebooted the server. By doing this, we synchronised the server time with the real time and the issue was resolved. Afterwards the NTP was in sync, now we won’t have this issue again.