Introduction
OCSP Online Certificate Status Protocol was proposed to replace CRL. For modern web servers, OCSP is generally supported, and OCSP is also standard for modern web servers.
But OCSP stapling is not supported by all web servers. But in real work, we may need to know the level of support for OCSP by a specific website.
Websites that support OCSP stapling
How to judge whether a web site supports OCSP stapling?
The easiest way is to go to a third-party website to check the certificate information of the website. For example, entrust.ssllabs.com we mentioned before, by entering the corresponding website information, in
In the Protocol Details section, you can find the specific information about whether the website supports OCSP stapling, as follows:
You can see that this website has OCSP stapling enabled. But in fact, most websites in the world do not have OCSP stapling enabled.
So is there any other way besides looking at OCSP stapling on a third-party website?
In fact we can easily do this using the openssl artifact. Of course, the premise is that this website supports https.
Next, we will explain in detail the whole process from obtaining the server's certificate to verifying whether the server supports OCSP stapling.
The website to be verified in this article is Microsoft's official website www.squarespace.com, which is a website that supports OCSP stapling.
Get the server's certificate
To verify whether the server supports OSCP, we first need to obtain the server's certificate, which can be done with openssl s_client -connect provided by openssl.
openssl s_client -connect www.squarespace.com:443This command will output everything that makes the connection, including the certificate information for the website to be accessed.
Because we only need the certificate of the website, we need to save the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- .
Then the final command is as follows:
openssl s_client -connect www.squarespace.com:443 | sed -n '/-----BEGIN/,/-----END/p' > ca.pem Here we use a sed -n command to intercept data starting with -----BEGIN -----END and ending with ---68077299a6fd8abbb07d04d0ce6d0359--- from the output.
Eventually we got the certificate for the website.
In addition to the certificate of the website itself, the certificate of the website itself is issued by other certificates. These certificates are called intermediate certificates, and we need to obtain the entire certificate chain.
Also use openssl's openssl s_client -showcerts command to get all certificate chains:
openssl s_client -showcerts -connect www.squarespace.com:443 | sed -n '/-----BEGIN/,/-----END/p' > chain.pemIf you open the chain.pem file, you can find that there are two certificates in the file, the top one is the certificate of the server itself, and the second one is the intermediate certificate used to sign the server certificate.
Get OCSP responder address
If the certificate contains the address of the OCSP responder, it can be obtained with the following command:
openssl x509 -noout -ocsp_uri -in ca.pem We can get the ocsp responder address of the website: http://ocsp.digicert.com .
There is another way to get the address of the ocsp responder:
openssl x509 -text -noout -in ca.pemThis command will output all the information about the certificate, we can see the following:
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crtWhere OCSP - URI is the address of the OCSP responder.
Send OCSP request
With the address of the OCSP responder, we can perform OCSP verification. In this command, we need to use the server's certificate and intermediate certificate.
The specific request command is as follows:
openssl ocsp -issuer chain.pem -cert ca.pem -text -url http://ocsp.digicert.comFrom the output we can get two parts, the first part is OCSP Request Data, which is OCSP request data:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 521EE36C478119A9CB03FAB74E57E1197AF1818B
Issuer Key Hash: 09262CA9DCFF639140E75867E2083F74F6EAF165
Serial Number: 120014F1EC2395D56FDCC4DCB700000014F1EC
Request Extensions:
OCSP Nonce:
04102873CFC7831AB971F3FDFBFCF3953EC5From the request data, we can see the detailed OCSP request data structure, including the content of the issuer and the OCSP nonce.
The second part is the response data, unfortunately we got the following request error response data:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4
Produced At: Apr 30 04:36:26 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: E4E395A229D3D4C1C31FF0980C0B4EC0098AABD8
Issuer Key Hash: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4
Serial Number: 0F21C13200AE502D52BBE8DFEAB0F807
Cert Status: good
This Update: Apr 30 04:21:01 2022 GMT
Next Update: May 7 03:36:01 2022 GMTIn the results returned above, Cert Status: good indicates that the OCSP request was successful, and this website is a website that supports the OCSP protocol.
The next two lines are the time of the last update of OCSP and the time of the next update:
This Update: Apr 30 04:21:01 2022 GMT
Next Update: May 7 03:36:01 2022 GMTNote that this site also supports OCSP stapling.
In addition, when requesting the OCSP url of some websites, you may get the following exception:
Error querying OCSP responder
4346349100:error:27FFF072:OCSP routines:CRYPTO_internal:server response error:/AppleInternal/Library/BuildRoots/66382bca-8bca-11ec-aade-6613bcf0e2ee/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/crypto/ocsp/ocsp_ht.c:251:Code=400,Reason=Bad RequestWhy is this so?
This is because the website ocsp.msocsp.com does not support the default HTTP 1.0 request of OCSP, and there is no Host request header by default in the HTTP 1.0 request. So we need to add the Host request header and execute it again.
an easier way
Above we actually split the request to execute step by step. We can also use openssl to perform the task in one step as follows:
openssl s_client -tlsextdebug -status -connect www.squarespace.com:443From the output, we can see the following data:
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4
Produced At: Apr 27 04:36:26 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: E4E395A229D3D4C1C31FF0980C0B4EC0098AABD8
Issuer Key Hash: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4
Serial Number: 0F21C13200AE502D52BBE8DFEAB0F807
Cert Status: good
This Update: Apr 27 04:21:02 2022 GMT
Next Update: May 4 03:36:02 2022 GMTThe above command directly outputs the OCSP response result. From the result, we can clearly see whether the website supports OCSP and OCSP stapling.
Summarize
Although most websites do not support OCSP stapling, we can effectively judge by using the above command.
For more information, please refer to http://www.flydean.com/44-openssl-ocsp/
The most popular interpretation, the most profound dry goods, the most concise tutorials, and many tricks you don't know are waiting for you to discover!
Welcome to pay attention to my official account: "Program those things", understand technology, understand you better!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。