7.11 Ensure OCSP Stapling Is Enabled - SSLUseStapling

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The OCSP (Online Certificate Status Protocol) provides the current revocation status of an X.509 certificate and allows for a certificate authority to revoke the validity of a signed certificate before its expiration date. The URI for the OCSP server is included in the certificate and verified by the browser. The Apache 'SSLUseStapling' directive along with the 'SSLStaplingCache' directive are recommended to enable OCSP Stapling by the web server. If the client requests OCSP stapling, then the web server can include the OCSP server response along with the web server's X.509 certificate.

Rationale:

The OCSP protocol is a big improvement over CRLs (certificate revocation lists) for checking if a certificate has been revoked. There are however some minor privacy and efficiency concerns with OCSP. The fact that the browser has to check a third-party CA discloses that the browser is configured for OCSP checking. Also, the already high overhead of making an SSL connection is increased by the need for the OCSP requests and responses. The OCSP stapling improves the situation by having the SSL server 'staple' an OCSP response, signed by the OCSP server, to the certificate it presents to the client. This obviates the need for the client to ask the OCSP server for status information on the server certificate. However, the client will still need to make OCSP requests on any intermediate CA certificates that are typically used to sign the server's certificate.

Solution

Perform the following to implement the recommended state:
Add or modify the 'SSLUseStapling' directive to have a value of 'on' in the Apache server level configuration and every virtual host that is SSL enabled. Also ensure that 'SSLStaplingCache' is set to one of the three cache types similar to the examples below.

SSLUseStapling On
SSLStaplingCache 'shmcb:logs/ssl_staple_cache(512000)'
- or-
SSLStaplingCache 'dbm:logs/ssl_staple_cache.db'
- or -
SSLStaplingCache dc:UNIX:logs/ssl_staple_socket

See Also

https://workbench.cisecurity.org/files/2381