OSCP Must Staple

wattie

Verified User
Joined
May 31, 2008
Messages
1,234
Location
Bulgaria
It's an old but still not common feature, but I guess it will grow popularity in future - OSCP Must Staple is an additional instruction bundled inside the TLS certificate which instructs the browser that the server MUST send an OSCP Stapling information.

Question:

Is there a way to implement it in DA Lets Encrypt certificates?

Explanation:

When a web server has a hacking suspicion, it revokes all certificates and issue new. This is to ensure that nobody will reuse their certificate to make a malicious website (for example in MiTM attack scenario). The problem is that the clients must somehow know that a certain certificate is revoked.

The historical solution is to use CRLs (certificate revocation lists) which are a responsibility for the client to fetch and use. The issue is that as web encryption grown drastically, CRLs also became pretty large files. So it does not scale well. And it is not fetched and updated very frequently (usually TTL 24 hours).

OSCP stapling came as a solution. What it does is that the webserver contacts the CA, fetch a digitally signed insurance that their certificate is not revoked (which has a certain time to live after which it becomes invalid/expired) and send that digitally signed insurance message to the client during their TLS handshake. It simplifies the process for the client. When somebody eventually hack a server certificate, he can only use it with the last valid OSCP stapling that he eventually got - and it will expire, so his hack will be short lived.

Enabling OSCP stapling is pretty easy and straight forward. In case of Apache, just uncomment those lines in httpd-ssl.conf:

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(512000)

The problem. While OSCP stapling is great, it has an issue. It is that not all webservers do support it and not all browsers request it. Or simplified: it's not obligatory to use it. So what hackers can do with a hacked certificate is to NOT send OSCP stapling at all, even if the client requests it. What all browsers do in such case? You guessed - they say "Oh, well, this server do not support OSCP stapling, so we will just assume that everything is OK" (and rely to their CRL which is fetched rarely and is therefore eventually outdated). Therefore OSCP stapling itself is a good thing but it is not increasing security at all and we still rely on CRLs.

What is OSCP Must Staple? It comes for the rescue. There is a message within the TLS certificate itself which indicates that the server who uses that certificate MUST include OSCP stapling data. That way the hackers cannot skip sending it... and problem solved.

The issue is that currently only Firefox respects it. But hopefully in future all browsers will do.

P.S. Obviously SSLStaplingReturnResponderErrors must be On if OSCP Must Staple should be used because elsewhere it will return misleading error message to the client in case the OSCP CA server is temporarily not working.

P.S.2. And usually you should consider enabling mod_md as it is much better implementation of OSCP Stapling than the one in mod_ssl: https://github.com/icing/mod_md
 
Last edited:
Enabling OSCP stapling is pretty easy and straight forward. In case of Apache, just uncomment those lines in httpd-ssl.conf:
Sorry to bump this thread, but I was thinking of maybe enabling this.
But in contrary of your statement, the lines mentioned are not present in the httpd-ssl.conf file.

And does it work with LE now with just apache2 (no nginx)? Are there benefits?
 
I have no idea if it works with LE or not. I have no test server to try on.

The lines are not available but they are valid Apache config directives.
 
I Have this in the /usr/local/directadmin/custombuild/configure/ap2/conf/extra/httpd-ssl.conf file

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(512000)

With test seems not working?
 
That is the configure, so it should be in the /etc/httpd/conf/extra/http-ssl.conf and I don't have this statement in either file by default.
As far as I know it won't work anyway if it's not in the normale httpd-ssl.conf which I mentioned and is used by apache.

Did you put that in there yourself?
 
That is the configure, so it should be in the /etc/httpd/conf/extra/http-ssl.conf and I don't have this statement in either file by default.
As far as I know it won't work anyway if it's not in the normale httpd-ssl.conf which I mentioned and is used by apache.

Did you put that in there yourself?
BUMP

Stilll again asking then while i didn't find a manual in docs Directadmin how to enable ocsp stapling yes or no in custom and have it done and stay also which file adn whices lines at start end ...

This one looks old while old skin and not from Directadmin itself??


Which where from this yes or no? While in evo skin apache i don't see where the custimized header part only custom1 2 3 4 ? ;)

?? setup for Apache in DirectAdmin in CustomBuild:
cd /usr/local/directadmin/custombuild/custom/ap2/conf/extra/
vi httpd-ssl.conf


SSLCompression off
SSLSessionTickets off


SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache “shmcb:/var/run/ocsp(128000)”


put this code just before:
##
## SSL Virtual Host Context
##
(and check that /var/run/ folder exists)


Or Apache in DirectAdmin in httpd :
customized header:
inside virtual:
SSLUseStapling on
custom1:
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
 
Last edited:
@ikkeben
it option when re-building apache


Code:
Or Apache in DirectAdmin in httpd :
customized header:
inside virtual:
And customize inside <VirtualHost> tag in "/CMD_CUSTOM_HTTPD"
I don't get ( understand a ocsp combi howto do with that) those parts sorry. ;)

Should it be in GUI EVO?

or where in which order which commands which files and place in files.

Is it then save for updates or where to..

The yes or no set oscp stapling manual for directadmin i can't find in the docs.

And what you find on the web and in forum is all or old or mixed and not for these versions so very easy to make mistakes there!

This is for example a very old one not upto date whil you should use that part if newer OS

I hope you understand what i am trying to say, a up to date whole manual / documentation for a howto ocsp in Direactmin , EVO skin and command line and yes no custombuild...

????The new optional file was implemented in DirectAdmin Version 1.59.5 (the aforementioned GUI implemented in DirectAdmin Version 1.61.0):

Is for example custom (1,2,3,4) httpd in GUI EVO skin same as that custom on command line and if yes which files are placed where

i am looking for evo skin gui ..... ocsp ( server wide and per domain) apache fpm manual from Directadmin self for example one as this is for OLS https://openlitespeed.org/kb/customize-virtual-host-configuration-in-directadmin/

Search in DA DOCS on that

OCSP Must Staple or ocsp or stapling, SSLStapling​

nothing found?
 
Last edited:
Ok that in my answer is for per domains

but for global, If im not wrong it's should be "CUSTOM" token

You will see this in template file
"/usr/local/directadmin/data/templates/virtual_host2.conf"
Code:
<VirtualHost |IP|:|PORT_80| |MULTI_IP|>
|CUSTOM|


"SSLUseStapling on"
should put in
"/usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.pre" ( or .post )

"SSLStaplingCache shmcb:/tmp/stapling_cache(128000)"
should put in
"/usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM1.pre" ( or .post )

and rewrite_confs


but im not sure it work
maybe conflic with some other config

but this should be answer how to put to custom template file
 
BUMP still stucked

7 years old topic now?

Server wide if sites have CERT and http2 but howto ad ocsp stapling then?

I did payed SMtalk years ago for this but for such simple thing that should be in DOCS hmm

I can't find where while i am stucked with so much help / docs and info about yes no custom, bu still didn't solve it myself after years now.

Yes i know am on wrong path but if it is not simply in docs / howto you can be looking on total wrong places to add those lines


So please @DirectAdmin Support make a simple docs / howto and place a link here?

Other readers knowing howto for apache and centos8 on latest DA then welcome

EDIT:!
SO still missing docs: @scriptkitty


I have working but don't know this is the right way

IN file /etc/httpd/conf/extra/httpd-includes.conf

id did put those rules /inles:
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(512000)


 
Last edited:
Want to add to this, i am following this KB : https://help.directadmin.com/item.php?id=621
And getting ssl setting from

# generated 2021-09-23, Mozilla Guideline v5.6, Apache 2.4.48, OpenSSL 1.1.1d, intermediate configuration
# https://ssl-config.mozilla.org/#ser...fig=intermediate&openssl=1.1.1d&guideline=5.6

# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
SSLEngine on

# curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateFile /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateKeyFile /path/to/private_key

# enable HTTP/2, if available
Protocols h2 http/1.1

# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

# intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

I want to add/update this info in extra/httpd-ssl.conf, now i don't understand exactly which section this info need to be added

SSLHonorCipherOrder & SSLCipherSuite are listed at 2 places, SSLProtocol is listed before
<VirtualHost _default_:|PORT_443|>

So which section do i add these directives, inside Virtualhost block or before it

SSLHonorCipherOrder off
SSLSessionTickets off
Protocols h2 http/1.1
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Thanks
 
I have updated my server as follow and getting A+ on ssl labs, only missing is "OCSP Must Staple : No"
https://www.digicert.com/help/ shows all good

Following this kb for custom httpd-ssl.conf : https://help.directadmin.com/item.php?id=621
my custom httpd-ssl.conf is as follow, removed comments

Listen |PORT_443|

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/log/httpd/ssl_scache(512000)
SSLSessionCacheTimeout 300

# https://mozilla.github.io/server-side-tls/ssl-config-generator/ intermediate configuration.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off

##
## SSL Virtual Host Context
##

<VirtualHost _default_:|PORT_443|>
# General setup for the virtual host
DocumentRoot "/var/www/html"
ServerName www.example.com:|PORT_443|
ServerAdmin [email protected]
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server.ca
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>


Enable OCSP stapling
Directives need to be in 2 seperate places, inside and outside of <VirtualHost *:443>

I did this in custom httpd configuration from Custom HTTPD Configuration -> (select domain httpd.conf ) -> Customize

1) These directives need to go inside <VirtualHost *:443>
In first text area ( httpd.conf customization for domain.com )
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingFakeTryLater off
SSLStaplingStandardCacheTimeout 86400



2) These directives need to be OUTSIDE of the <VirtualHost></VirtualHost> block
First text box ( CUSTOM 1 )
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Save and your done, numbers can be changed please read up on them what works for you. There could be better way for enabling ocsp site wide, if you know please share.

http-ssl file attached, don't know how to get rid of those smilies
Thanks
 

Attachments

  • httpd-ssl.txt
    1.9 KB · Views: 10
@ssgill For server wide see my edit above in post 11 where: ( so in that file for whole server and sites)

I have working but don't know this is the right way
IN file /etc/httpd/conf/extra/httpd-includes.conf
Still thinking there should be docu in docs help DA about this

for the smilies you need to edit post then more choose options and under code </> so not quote
 
It enabled OSCP but it is still not in "Must Staple" mode?!? SSLLabs shows:

OCSP Must StapleNo
Revocation informationOCSP
OCSP: http://r3.o.lencr.org

DigiCert shows something strange:

OCSP Staple:Good
OCSP Origin:Good
CRL Status:Not Enabled
 
@wattie uh YUP. ;)



 
Back
Top