Since everyone now can get free 2-year multi-domain certificates from WoSign, I grabbed one for one of my web sites. However, WoSign’s OCSP server is located in China which may, depending on your and your server’s location, increase latency once the web browser is verifying the certificate’s revocation status. In my case from Europe:
PING ocsp6.wosign.com (111.206.66.61) 56(84) bytes of data. 64 bytes from 111.206.66.61: icmp_seq=1 ttl=53 time=428 ms 64 bytes from 111.206.66.61: icmp_seq=2 ttl=53 time=347 ms 64 bytes from 111.206.66.61: icmp_seq=3 ttl=53 time=312 ms 64 bytes from 111.206.66.61: icmp_seq=4 ttl=53 time=328 ms 64 bytes from 111.206.66.61: icmp_seq=5 ttl=53 time=313 ms
OCSP stapling comes in handy to reduce the latency for the revocation status check, again, depending on your clients and your server’s location.
Here’s the all-in-one shell script in /etc/cron.daily
I’m using…
- to create the domain’s OCSP file for HAProxy
- to inject the latest OCSP data into a running HAProxy instance using its stats socket
#!/bin/sh ROOT_CERT_FILE=/etc/ssl/private/wosign-root-bundle.crt SERVER_CERT_FILE=/etc/haproxy/certs.d/domain.crt HAPROXY_SOCKET=/var/run/haproxy.socket OCSP_URL=`/usr/bin/openssl x509 -in $SERVER_CERT_FILE -text | grep -i ocsp | cut -d":" -f2-2,3` OCSP_FILE=${SERVER_CERT_FILE}.ocsp /usr/bin/openssl ocsp -noverify -issuer $ROOT_CERT_FILE -cert $SERVER_CERT_FILE -url "$OCSP_URL" -respout $OCSP_FILE -header Host `echo "$OCSP_URL" | cut -d"/" -f3` echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000 $OCSP_FILE)" | socat stdio $HAPROXY_SOCKET
To check if OCSP stapling works:
openssl s_client -connect mydomain.xyz:443 -tls1 -tlsextdebug -status
or for SNI-only configurations:
openssl s_client -connect mydomain.xyz:443 -servername mydomain.xyz -tls1 -tlsextdebug -status
If it works, there should be an OCSP section in the response like this:
OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = CN, O = WoSign CA Limited, CN = WoSign Free SSL OCSP Responder(G2) Produced At: Mar 8 14:01:14 2015 GMT . . .
A few notes:
- HAProxy’s stats socket needs to be enabled
- wosign-root-bundle.crt was taken from the Apache bundle in the certificate .zip file I received from WoSign
- /etc/haproxy/certs.d/domain.crt contains the private key and the certificate bundle from the “for Other Server” directory, however you could remove the last certificate since it’s the root CA cert.
- Requires HAProxy >= 1.5
- If socat is missing:
apt-get install socat
in Debian/Ubuntu - Always aim for an A or A+ grade: SSL Server Test