Setting up Apache with OCSP stapling (20 Dec 2009)
OCSP is the Online Certificate Status Protocol. It's a way for TLS clients to check if a certificate is expired. A certificate with OCSP enabled includes a URL to which a client can send a POST request and receive a signed statement that a given certificate is still valid.
This adds quite a bit of latency to the TLS connection setup as the client has to perform a DNS lookup on the OCSP server hostname, create an HTTP connection and perform the request-response transaction.
OCSP stapling allows the TLS server to include a recent OCSP response in the TLS handshake so that the client doesn't have to perform its own check. This also reduces load on the OCSP server.
Apache recently got support for OCSP stapling and this post details how to set it up.
1. Prerequisites
Apache support got added in this revision. At the time of writing, no release of Apache includes this so we get it from SVN below.
OpenSSL support was added in 0.9.8h. The version in Ubuntu Karmic is not recent enough, so I pulled the packages from lucid for this:
cd /tmp wget 'http://mirrors.kernel.org/ubuntu/pool/main/o/openssl/openssl_0.9.8k-7ubuntu3_amd64.deb' wget 'http://mirrors.kernel.org/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8k-7ubuntu3_amd64.deb' wget 'http://mirrors.kernel.org/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8k-7ubuntu3_amd64.deb' sudo dpkg -i openssl_0.9.8k-7ubuntu3_amd64.deb libssl0.9.8_0.9.8k-7ubuntu3_amd64.deb libssl-dev_0.9.8k-7ubuntu3_amd64.deb
2. Building Apache
As noted, we need the SVN version of Apache at the time of writing. I'll be using some paths in the following that you should change (like /home/agl/local/ocsp):
svn checkout http://svn.apache.org/repos/asf/httpd/httpd/trunk httpd cd httpd svn co http://svn.apache.org/repos/asf/apr/apr/trunk srclib/apr ./buildconf cd srclib/apr ./configure --prefix=/home/agl/local/ocsp
At this point, I had to patch APR in order to get it to build. I suspect this build break will be fixed in short order but, for the sake of completeness, here's the patch that I applied:
--- poll/unix/pollset.c (revision 892677) +++ poll/unix/pollset.c (working copy) @@ -129,6 +129,8 @@ static apr_status_t close_wakeup_pipe(apr_pollset_t *pollset) { + apr_status_t rv0, rv1; + /* Close both sides of the wakeup pipe */ if (pollset->wakeup_pipe[0]) { rv0 = apr_file_close(pollset->wakeup_pipe[0]);
Now we can build and install Apache itself. Since we are giving a prefix option, this doesn't conflict with any system installs.
cd ../.. ./configure --prefix=/home/agl/local/ocsp --with-apr=/home/agl/local/ocsp --enable-ssl --enable-socache-dbm
Again, for the sake of completeness, I'll mention that Apache SVN had a bug at the time of writing that will stop OCSP stapling from working:
--- modules/ssl/ssl_util_stapling.c (revision 892677) +++ modules/ssl/ssl_util_stapling.c (working copy) @@ -414,6 +414,10 @@ goto done; } + if (uri.port == 0) { + uri.port = APR_URI_HTTP_DEFAULT_PORT; + } + *prsp = modssl_dispatch_ocsp_request(&uri, mctx->stapling_responder_timeout, req, conn, vpool);
Then build and install it...
make -j4 make install
3. Generating certs
For this example, I'll be generating a CA cert, a server cert and an OCSP responder cert for that CA. In the real world you'll probably be getting the certs from a true CA, so you can skip this step.
cd /home/agl/local/ocsp mkdir certs && cd certs wget 'https://fedorahosted.org/pkinit-nss/browser/doc/openssl/make-certs.sh?format=txt' mv make-certs.sh\?format=txt make-certs.sh /bin/bash ./make-certs.sh europa.sfo.corp.google.com test@example.com all ocsp:http://europa.sfo.corp.google.com/ cat ocsp.crt ocsp.key > ocsp.pem
Now I'm going to add the CA that was just generated to the CA set. Firstly, Chromium uses an NSS database in your home directory:
certutil -d sql:/home/agl/.pki/nssdb -A -n testCA -i ~/local/ocsp/certs/ca.crt -t Cu,,
OpenSSL uses a file of PEM certs:
cd /etc/ssl cp cert.pem cert.pem.orig rm cert.pem cat cert.pem.orig /home/agl/local/ocsp/certs/ca.crt > cert.pem
4. Running the responder
In the real world, the OCSP responder is run by the CA that you got your certificate from. But here I'm going to be running my own since I generated a new CA in section 3.
cd ~/local/ocsp touch index.txt sudo openssl ocsp -index index.txt -port 80 -rsigner certs/ca.pem -CA certs/ca.pem
5. Configuring Apache
I won't cover the basics of configuring Apache here. There are plenty of documents on the web about that. I'll just note that I have Apache only listening on port 443 since my OCSP responder is running on 80.
The config that you'll need is roughly this:
SSLStaplingCache dbm:/tmp/staples SSLCACertificateFile "/etc/ssl/cert.pem" SSLUseStapling on
(You probably want to choose a better location for the cache.)
Apache will parse its server certificate on startup and extract the OCSP responder URL. It needs to find the CA certificate in order to validate OCSP responces and that's why the SSLCACertificateFile directive is there (and why we added the CA to that file in section 3).
After restarting Apache, look in the error.log. What you don't want to see is the following:
[Sun Dec 20 17:24:28 2009] [error] ssl_stapling_init_cert: Can't retrieve issuer certificate! [Sun Dec 20 17:24:28 2009] [error] Unable to configure server certificate for stapling
That means that Apache couldn't find the CA cert.
There are other directives, but they are currently undocumented. Your best bet is to look at the original Apache bug and the commit itself.