UNPKG

@passmarked/ssl

Version:

Rules that relate to checking the SSL configuration of each individual resolved server from the domain to ensure locked down config with the broadest compatibility

github.com/passmarked/ssl

passmarked/ssl

66 lines (47 loc) 2.39 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
OCSP (*Online Certificate Status Protocol*) stapling allows CA's to revoke the status of a certificate and present a signed message to clients that are connecting to a SSL server. This allows users to check the status of a certificate without having to query the CA directly moving the cost to the server away from the client. It was created as an alternative to CRL to reduce the SSL negotiation time. With CRL (Certificate Revocation List) the browser downloads a list of revoked certificate serial numbers and verifies the current certificate, which increases the SSL negotiation time. While another option to use [*TLS Certificate Status Request extension*](https://tools.ietf.org/html/rfc6961) exists, OSCP gives clients a extra layer of security without any extra processing. When a certificate is revoked via OCSP clients will be presented with a warning. # How do I fix this ? The OCSP can be configured in your favourite web server: ## NGINX In a server block for the website add the following config: ``` ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/private/ca-certs.pem; ``` ## Testing To test run the following: ``` echo QUIT | openssl s_client -connect example.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update' ``` Which should show something like the following: ``` OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 4C58CB25F0414F52F428C881439BA6A8A0E692E5 Produced At: May 9 08:45:00 2014 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: B8A299F09D061DD5C1588F76CC89FF57092B94DD Issuer Key Hash: 4C58CB25F0414F52F428C881439BA6A8A0E692E5 Serial Number: 0161FF00CCBFF6C07D2D3BB4D8340A23 Cert Status: good This Update: May 9 08:45:00 2014 GMT Next Update: May 16 09:00:00 2014 GMT ``` ## Apache In the configuration block for the requested domain add the following config: ``` SSLCACertificateFile /etc/ssl/ca-certs.pem SSLUseStapling on ``` # Resources * [OCSP stapling](https://en.wikipedia.org/wiki/OCSP_stapling) * [How To Configure OCSP Stapling on Apache and Nginx](https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx)