Online Certificate Status Protocol stapling

from Wikipedia, the free encyclopedia

Online Certificate Status Protocol stapling , formally known as the TLS certificate status query extension, is an alternative approach to the Online Certificate Status Protocol (OCSP) to check the validity status of digital certificates according to X.509 . It enables the certified person to take on the task of certificate validation by attaching an OCSP response signed by the certification authority with a time stamp to the original TLS handshake (“stapling”). This procedure significantly reduces the communication effort between clients and certification authorities.

motivation

OCSP stapling solves most of the problems with the original OCSP implementation.

The original OCSP implementation can lead to considerable costs for the certification authorities, since they have to provide each client with real-time responses for a specific certificate. For example, if a website with a high traffic volume is issued a certificate, then the certification authority's servers are likely to be hit by a large number of OCSP queries that inquire about the validity of the certificate.

OCSP checks potentially damage the privacy of the user and slow down browsing as the client has to contact another party (the certification authority) to confirm the authenticity of every certificate it encounters.

Furthermore, the client has the choice between two equally undesirable options if the establishment of contact with the certification authority fails. The client can either continue with the connection and thus dispense with the purpose of the revocation check via OCSP or terminate the connection assuming an attack, which reduces user-friendliness and can lead to an excessive number of incorrect warnings and blocks.

solution

OCSP stapling solves both problems in a way reminiscent of the Kerberos ticket. In an attachment scenario ("stapling"), the certificate holder asks the OCSP server at regular intervals and receives a signed OCSP response with a time stamp. When the visitors to the site try to connect, this response is appended ("stapled") to the TLS / SSL handshake via the certificate status query extension . (Note that the TLS client must explicitly include a certificate status query extension in its ClientHello message during the TLS handshake.) Although it appears as if it would allow the operator of an abusive site to issue false confirmations for a withdrawn certificate, if he can influence the responses for the verification, the attached verification messages cannot be falsified, as they have to be signed directly by the certification authority and not by the server. If the client does not receive an attached test message, it can simply request the OCSP server itself. However, if he receives an invalid appended test message, he breaks the connection. The only danger increased by OCSP stapling is that the withdrawal notification for a certificate can be delayed until the last signed OCSP response expires.

As a result, clients continue to have verifiable assurance from the certification authority that the certificate is (or was recently) valid, but no longer need to individually request the OCSP server. This means that the majority of the burden falls back on the certificate holder. It also means that the client software no longer has to disclose user behavior to a third party.

Overall performance is also improved: If the client picks up the OCSP response directly from the certification authority, this usually implies looking up the domain name of the OCSP server in the DNS and establishing a connection to the OCSP server. When using OCSP stapling, the information about the status of the certificate is delivered via an established channel, which reduces the overhead and improves performance.

specification

The TLS certificate status query extension is specified in section 8 of RFC 6066 .

RFC 6961 describes a certificate status query extension for multiple certificates that enables the server to send multiple OCSP responses in a TLS handshake.

A draft proposal for an X509v3 extension field, which expired in April 2013, stipulates that a compatible server that presents a certificate with this extension must provide a valid OCSP token in its response if the status_request extension is in the ClientHello message from TLS is specified. The current version of the proposal has been extended to support further TLS extensions. TLS developer Adam Langley covers the extension in an April 2014 article after fixing the Heartbleed bug in OpenSSL.

commitment

Support for OCSP stapling will be implemented gradually. The OpenSSL project added support through financial support from the Mozilla Foundation in release 0.9.8g.

The Apache HTTP server supports OCSP stapling from version 2.3.3, the web server nginx from version 1.3.7, the LiteSpeed ​​web server from version 4.2.4, Microsoft's IIS from Windows Server 2008 , HAProxy from version 1.5.0 and F5 Networks BIG- IP from version 11.6.0.

On the browser side, OCSP stapling was built into Firefox 26, in Internet Explorer since Windows Vista and Google Chrome in Linux, Chrome OS and Windows since Vista.

For SMTP, the Exim message transfer agent supports OCSP stapling in both client and server mode.

Restrictions

OCSP stapling has been developed to reduce the costs of OCSP validation - both for the client and for the OCSP responder - especially for large websites that serve many users at the same time. Nevertheless, OCSP stapling only supports the delivery of one OCSP response at a time, which is not sufficient for chains with intermediate certificates.

This restriction was countered by a certificate status query extension for several certificates, which is specified in RFC 6961 . It supplements the simultaneous sending of several OCSP responses.

swell

  1. ^ A b D. Eastlake (January 2011).
  2. ^ A b Matthew Prince: (October 29, 2012).
  3. a b c Steve Gibson:
  4. a b c A. Jesin (June 12, 2014).
  5. a b c David Keeler: (July 29, 2013).
  6. OCSP stacking .
  7. P. Hallam-Baker: X.509v3 Extension: OCSP Stapling Required
  8. P. Hallam-Baker: X.509v3 TLS Feature Extension draft-hallambaker-tlsfeature-05
  9. ^ A. Langley: No, don't enable revocation checking , April 19, 2014.
  10. Apache HTTP Server mod_ssl documentation - SSLUseStapling directive
  11. nginx-announce mailing list - nginx-1.3.7
  12. Release Log - Litespeed Tech .
  13. Robert Duncan:
  14. HAProxy website
  15. Release Note: BIG-IP LTM and TMOS 11.6.0
  16. ^ Improving Revocation - MozillaWiki , accessed April 28, 2014.
  17. ^ How Certificate Revocation Works .
  18. Issue 361820: Check For Server Certificate Revocation checkbox is confusing .
  19. ^ The smtp transport , accessed January 24, 2015.
  20. Main configuration , accessed January 24, 2015.
  21. Mozilla NSS Bug 360420 , comment by Adam Langley
  22. Mozilla NSS Bug 611836 - Implement multiple OCSP stapling extension
  23. ^ Yngve N. Pettersen: (June 2013).