Using OCSP stapling in TLS-enabled components

OCSP Stapling is a procedure of “caching” an OCSP response for TLS server certificate and sending the response together with the certificate during TLS handshake. OCSP stapling, saves the client from separate connection to OCSP responder, speeds up the TLS handshake and reduces load on OCSP servers. As such, OCSP stapling is recommended for use wherever possible.

OCSP stapling is implemented via TLS extensions and a separate OCSP client component.

Server-side setup

To make use of OCSP stapling on the server, you need to take the following steps:

Step 1. Request an OCSP response for your server-side TLS certificate from the OCSP authority. The response can be obtained using TElHTTPOCSPClient or TElFileOCSPClient components. OCSPClient sample, included with SecureBlackbox (in \Samples\\PKIBlackbox folder) illustrates how this is done.

Step 2. Save the obtained OCSP response to the buffer using TElOCSPResponse.Save() method for future reference. Note, that OCSP responses expire in time. OCSP response is a collection of “single certificate” responses with one or more elements. Each entry in the collection is of TElOCSPSingleResponse type. The individual entry contains ThisUpdate and NextUpdate properties. NextUpdate property tells you when the update for this entry will be available. After this time current entry will expire and update will be required.

Step 3. Setup your TLS server component (most likely it's an instance of TElSSLServer class) to handle OnExtensionsReceived event.

Step 4. In OnExtensionsReceived event handler you need to:

  • check if PeerExtensions.CertificateStatus.Enabled property is true (PeerExtensions is a property of TElSSLServer class). If it's not set to true, then the client doesn't support OCSP stapling. Don't send OCSP response to such client, as the client might get confused and crash.
  • create an instance of TElOCSPResponse class,
  • use its Load() method to load the saved response from the buffer,
  • assign the instance of TElOCSPResponse to Extensions.CertificateStatus.OCSPResponse (Extensions is a property of TElSSLServer class),
  • set Extensions.CertificateStatus.StatusType to cstOCSP
  • set Extensions.CertificateStatus.Enabled to true

Client-side setup

To use OCSP stapling on the client, do the following:

Step 1. Before connecting to the server set Extensions.CertificateStatus.Enabled property is true (Extensions is a property of TElSSLClient class and TLS-enabled client classes).

Step 2. Setup your TLS client component to handle OnExtensionsReceived event. This also should be done before the client connects to the server.

Step 3. In OnExtensionsReceived event handler you need to:

  • check PeerExtensions.CertificateStatus.Enabled property. If it is false, there was no OCSP response included and the next steps are to be omitted;
  • Create an instance of TElOCSPResponse and use its Load() method to read the response from PeerExtensions.CertificateStatus.OCSPResponse property (which is a buffer);
  • Assuming that you use TElX509CertificateValidator class to validate server certificate, pass the instance of TElOCSPResponse to TElX509CertificateValidator.AddKnownOCSPResponses() method before calling TElX509CertificateValidator.ValidateForSSL().

Ready to get started?

Learn more about SecureBlackbox or download a free trial.

Download Now