K17111035: Configuring OCSP stapling (11.x - 12.x) Non-Diagnostic Original Publication Date: Apr 1, 2016 Update Date: Sep 14, 2019 Topic This article applies to BIG-IP 11.x though 12.x. For information about other versions, refer to the following article: K75106155: Configuring OCSP stapling (13.x - 15.x) You should consider using this procedure under the following condition: You want to configure the BIG-IP system to use Online Certificate Status Protocol (OCSP) stapling. Description OCSP The original OCSP implementation described in RFC 2560 requires that client applications perform a DNS and an OCSP request, using either HTTP or HTTPs, during the Secure Socket Layer (SSL)/Transport Layer Security (TLS) handshake to validate a secure website's SSL certificate revocation status. The additional DNS and HTTP/HTTPs requests made during the SSL/TLS handshake causes noticeable performance delays for client applications and significantly increases network traffic and processing overhead for the validating OCSP responders. OCSP is introduced to improve SSL/TLS handshake performance while maintaining security. OCSP Stapling OCSP stapling (described in RFC 6066 and RFC 6960) is a performance improvement to the original OCSP internet protocol used to verify SSL certificate revocation status. When a secure web server implements OCSP stapling and a remote client application makes a new SSL connection, the secure web server queries the OCSP responder and obtains a signed and time-sensitive OCSP response during the SSL/TLS handshake. The secure web server then responds to the client application on behalf of the OCSP responder, sending (or stapling) the OCSP response in the status_request TLS Certificate Status Request extension. The client application is then able to verify the SSL certificate's revocation status. The secure web server also caches the OCSP response, and subsequent client connections to the same secure web site receive the cached stapled response, which greatly improves overall SSL/TLS handshake performance. While this performance improvement may appear less secure, a trusted entity signs OCSP responses, which allows client applications to verify the authenticity of the response. One possible risk occurs when a certificate revocation notification update (revoked) becomes delayed until the previously cached (good) OCSP response has expired. Important: The client application must include the status_request extension in its TLS Client Hello handshake message to enable OCSP stapling. BIG-IP system Beginning in BIG-IP 11.6.0, you can configure the BIG-IP system to use OCSP stapling for websites that are secured using a Client SSL profile. For more information about how a BIG-IP system manages cached OCSP responses, refer to the following list: Multiple TMMs For BIG-IP systems with multiple Traffic Management Microkernels (TMMs), each TMM maintains its own OCSP response cache. The BIG-IP system continues to query the OCSP responder until each TMM has its own cached copy of an OCSP response. Therefore, you must make an OCSP request for the same secure website until each TMM has its own cached copy. Revoked responses Revoked responses indefinitely remain in the cache. To remove all cached OCSP responses for a specific virtual server and Client SSL profile, use the following command syntax: tmsh delete ltm clientssl ocsp-stapling-responses clientssl-profile <name> virtual <name> For example, to delete all of the cached OCSP responses for the virtual server named example_ocsp_vip referencing the Client SSL profile named example_ssl_profile, type the following command: tmsh delete ltm clientssl ocsp-stapling-responses clientssl-profile example_ssl_profile virtual example_ocsp_vip The nextUpdate extension OCSP responders can include an optional nextUpdate extension to indicate the time that new certificate revocation status information will be made available. The BIG-IP system does not cache an OCSP response when the nextUpdate extension is missing. Viewing the OCSP response cache There is currently no command available for viewing the OCSP response cache. To view OCSP response errors associated with a specific virtual server, you can use the following command syntax: tmsh show ltm virtual <name> detail For example, to view the OCSP response errors for the virtual server named example_ocsp_vip, use the following command: tmsh show ltm virtual example_ocsp_vip detail Prerequisites You must meet the following prerequisites to use this procedure: You have a remote OCSP responder. You have access to the Configuration utility. You have a virtual server configured to process SSL traffic using a Client SSL profile. You have configured the network time Protocol (NTP) on the BIG-IP system and remote OCSP responder. The following service ports are accessible between the BIG-IP system and the OCSP responder: 53 (DNS) and 80 or 443 (OCSP). You have access to a Linux command line if testing is required. Procedures Importing the CA or OCSP responder signing certificate Configuring the OCSP Stapling profile Modifying the Client SSL profile Testing the OCSP configuration Importing the CA or OCSP responder signing certificate The client application and BIG-IP system must verify the authenticity of the OCSP responder's SSL certificate. Before configuring the OCSP responder and Client SSL profiles, obtain the Certificate Authority (CA) certificate used to sign the responder's SSL certificate. You can import the CA certificate by performing the following procedure: Note: The SSL certificate file should include the BEGIN CERTIFICATE and END CERTIFICATE lines and contain no white space, extra line breaks, or additional characters. Impact of procedure: Performing the following procedure should not have a negative impact on your system. 1. Log in to the Configuration utility. 2. Navigate to System > File Management > SSL Certificates List. 3. Click Import. 4. From the Import Type list, click Certificate. 5. For Certificate Name, click Create New and type a name for the certificate. 6. For Certificate Source, click Upload File and browse to the file on your computer, or click Paste Text and paste the source location into the box. 7. Click Import. Configuring the OCSP Stapling profile Prior to configuring the OCSP Stapling profile, you may need to contact the OCSP responder's administrator to ensure the OCSP options are correctly configured. To configure the OCSP stapling profile, perform the following procedure: Impact of procedure: Performing the following procedure should not have a negative impact on your system. 1. Log in to the Configuration utility. 2. Navigate to Local Traffic > Profiles > SSL > OCSP Stapling. 3. Click Create. 4. Configure the General Properties options, as appropriate for your purposes: Basic view Note: The options marked with an asterisk (*) are required. *Name - Type a unique identifier or name for the OCSP profile. *Use Proxy Server - Select the check box if you intend to use servers that can proxy HTTP requests to an external server to fetch responses or leave this check box unselected if you intend to use a domain name in either the OCSP stapling profile's Responder URL option or in the secure website SSL certificate Authority Information Access (AIA) extension to fetch responses. Note: You can configure a DNS resolver for the OCSP Responder's fully-qualified domain name (FQDN) in the Configuration utility under Network > DNS Resolvers. *DNS Resolver/Proxy Server Pool - Depending on your selection for the previous setting, specify the appropriate DNS resolver or proxy server pool. *Trusted Certificate Authorities - Click the name of the CA certificate the system uses to sign the OCSP responder certificate, which you imported during the Importing the CA or OCSP responder signing certificate procedure. Trusted Responders - Click the name of the certificate the system uses for validating the OCSP response when the responder's certificate is omitted from the response. Advanced view The Advanced view options include those listed under Basic view and the following additional options: Note: The options marked with an asterisk (*) are not required but may have a significant impact and may require additional tuning, depending on the OCSP responder implementation. *Responder URL - Type the HTTP/HTTPs based URL the system uses to override the AIA extension configured in the OCSP responder's SSL/TLS certificate. By default, this box is empty. Signer Certificate - Click the name of the SSL certificate the system uses for signing the OCSP request. The default is None. Signer Key - Click the name of the SSL key the system uses for signing the OCSP request. The default is None. Signer Key Passphrase - Type the passphrase the system uses to protect the Signer SSL key. The default value is empty or no value. *Sign Hash - Click the name of the hash algorithm the system uses to sign an OCSP request. The default is SHA256. The OCSP responder may require you to sign requests using a specific SHA hashing algorithm. 4. Timeout - Assign the time in seconds that the system waits for a reply from the OCSP responder before dropping the connection. The value should be less than the value set for the handshake timeout in the Client SSL profile referencing the OCSP stapling profile. The default is 8. *Clock Skew - Type the maximum allowable difference between the OCSP responder and the BIG-IP system, in seconds. The default value is 300. It is important that you configure NTP on both the OCSP responder and BIG-IP system to avoid time issues affecting OCSP responses. *Status Age - Type the allowed age of the OCSP response when the nextUpdate field is omitted from the response. The default value is 300. *Cache Timeout - Assign the lifetime option of the OCSP response in the cache, in seconds. The lower value between response validity period and the cache timeout will be used for caching the response. The default is Indefinite, indicating that the response validity period takes precedence Cache Error Timeout - Assign the lifetime of an error response in the cache, in seconds. The default value is 3600.