OCSP stapling

The Citrix ADC implementation of CRL and OCSP reports the revocation status of client certificates only. To check the revocation status of a server certificate received during an SSL handshake, a client must send a request to a certificate authority.

For websites with heavy traffic, many clients receive the same server certificate. If each client sent a query for the revocation status of the server certificate, the certificate authority would be inundated with OCSP requests to check the validity of the certificate.

OCSP stapling solution

To avoid unnecessary congestion, the Citrix ADC appliance now supports OCSP stapling. That is, the appliance can now send the revocation status of a server certificate to a client, at the time of the SSL handshake, after validating the certificate status from an OCSP responder. The revocation status of a server certificate is “stapled” to the response the appliance sends to the client as part of the SSL handshake. To use the OCSP stapling feature, you must enable it on an SSL virtual server and add an OCSP responder on the appliance.

Note:

• Citrix ADC appliances support OCSP stapling as defined in RFC 6066.

• OCSP stapling is supported only on the front-end of Citrix ADC appliances.

重要的是:

Citrix ADC support for OCSP stapling is limited to handshakes using TLS protocol version 1.0 or higher.

OCSP response caching of server certificates

During the SSL handshake, when a client requests the revocation status of the server certificate, the appliance first checks its local cache for an entry for this certificate. If a valid entry is found, it is evaluated and the server certificate and its status are presented to the client. If a revocation status entry is not found, the appliance sends a request for the revocation status of the server certificate to the OCSP responder. If it receives a response, it sends the certificate and the revocation status to the client. If the next update field is present in the OCSP response, the response is cached for the configured length of time (value specified in the timeout field.)

Note: From release 12.1 build 49.x, you can clear the cached response, of the server certificate, from the OCSP responder even before the timeout expires. Earlier, it was not possible to discard the cached status in the certificate-key pair until the configured timeout was over.

To clear the cached status by using the CLI, at the command prompt, type:

clear ssl certKey  -ocspstaplingCache 

Example:

clear ssl certKey s1 -ocspstaplingCache 

To clear the cached status by using the GUI

1. In the GUI, navigate toTraffic Management>SSL>Certificates>CA Certificates.
2. In the details pane, select a certificate.
3. In theSelect Actionlist, selectClear. When prompted to confirm, clickYes.

OCSP stapling configuration

Configuring OCSP stapling involves enabling the feature and configuring OCSP. To configure OCSP, you must add an OCSP responder, bind the OCSP responder to a CA certificate, and bind the certificate to an SSL virtual server.

Note:

OCSP responders with only HTTP based URL are supported.

Enable OCSP stapling by using the CLI

At the command prompt, type:

set ssl vserver  -ocspstapling [ENABLED | DISABLED] 

Example:

启用ssl设置vserver vip1 -ocspStapling shssl vserver vip1 Advanced SSL configuration for VServer vip1: DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SNI: ENABLED OCSP Stapling: ENABLED SSLv2: DISABLED SSLv3: DISABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED Push Encryption Trigger: Always Send Close-Notify: YES ECC Curve: P_256, P_384, P_224, P_521 1) CertKey Name: server_certificate1 Server Certificate 1) Cipher Name: DEFAULT Description: Default cipher list with encryption strength >= 128bit Done 

Note:If the default (enhanced) profile is enabled, use theset ssl profile -ocspStapling [ENABLED | DISABLED]command to enable or disable OCSP.

Enable OCSP stapling by using the GUI

1. Navigate toTraffic Management>SSL>Virtual Server.
2. Open a virtual server and, inSSL Parameters, selectOCSP Stapling.

OCSP configuration

An OCSP responder is added dynamically or manually to send OCSP stapling requests. An internal responder is dynamically added when you add a server certificate and its issuer certificate based on the OCSP URL in the server certificate. A manual OCSP responder is added from the CLI or GUI. To send an OCSP request for a server certificate, the Citrix ADC appliance selects an OCSP responder based on the priority assigned to it when binding it to an issuer certificate. If a responder fails to send an OCSP stapling request, the responder with the next highest priority is selected for sending the request. For example, if only one responder is manually configured and it fails and a dynamically bound responder exists, it is selected for sending the OCSP request.

If the OCSP URL is other than HTTP, an internal OCSP responder is not created.

Note

A manually added OCSP responder takes precedence over a dynamically added responder.

Difference between a manually created OCSP responder and an internally created OCSP responder

Example of request handling:

1. Add a virtual server (VIP1).
2. Add issuer certificate (CA1) and bind it to VIP1.
3. Add three certificates S1, S2, and S3. Internal responders resp1, resp2, and resp3 respectively are created by default.
4. Bind S3 to VIP1.
5. A request comes to VIP1. Responder resp3 is selected.

To create an internal OCSP responder dynamically, the appliance needs the following:

• Certificate of the issuer of the server certificate (usually the CA certificate).
• Certificate-key pair of the server certificate. This certificate must contain the OCSP URL provided by the certificate authority. The URL is used as the name of the dynamically added internal responder.

An internal OCSP responder has the same default values as a manually configured responder.

Note:

Caching is disabled by default on an internal responder. Use theset ssl ocspRespondercommand to enable caching.

Configure OCSP by using the CLI

At the command prompt, type the following commands to configure OCSP and verify the configuration:

添加ssl certKey < certkeyName > (cert <字符串> (password]) [-key  | -fipsKey  | -hsmKey ] [-inform ] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod ]] [-bundle ( YES | NO )] add ssl ocspResponder  -url  [-cache ( ENABLED | DISABLED )[-cacheTimeout ]] [-resptimeout ] [-responderCert  | -trustResponder] [-producedAtTimeSkew ][-signingCert ][-useNonce ( YES | NO )][ -insertClientCert ( YES | NO )] bind ssl certKey [] [-ocspResponder ] [-priority ] show ssl ocspResponder [] 

Parameters:

httpMethod:

HTTP method used to send OCSP requests. For requests, less than 255 bytes long, you can configure the HTTP GET method for queries to an OCSP server. If you specify the GET method but the length is greater than 255 bytes, the appliance uses the default method (POST).

Possible values: GET, POST

Default value: POST

ocspUrlResolveTimeout:

Time, in milliseconds, to wait for an OCSP URL resolution. After this time elapses, the responder with the next higher priority is selected. If all the responders fail, an error message appears or the connection is dropped, depending on the settings on the virtual server.

Minimum value: 100

Maximum value: 2000

Example:

add ssl certkey root_ca1 –cert root_cacert.pem add ssl ocspResponder ocsp_responder1 -url "http:// www.myCA.org:80/ocsp/" -cache ENABLED -cacheTimeout 30 -resptimeout 100 -responderCert responder_cert -producedAtTimeSkew 300 -signingCert sign_cert -insertClientCert YES bind ssl certKey root_ca1 -ocspResponder ocsp_responder1 -priority 1 sh ocspResponder ocsp_responder1 1)Name: ocsp_responder1 URL: http://www.myCA.org:80/ocsp/, IP: 192.128.22.22 Caching: Enabled Timeout: 30 minutes Batching: 8 Timeout: 100 mS HTTP Request Timeout: 100mS Request Signing Certificate: sign_cert Response Verification: Full, Certificate: responder_cert ProducedAt Time Skew: 300 s Nonce Extension: Enabled Client Cert Insertion: Enabled Done show certkey root_ca1 Name: root_ca1 Status: Valid, Days to expiration:8907 Version: 3 … 1) OCSP Responder name: ocsp_responder1 Priority: 1 Done 

Modify OCSP by using the CLI

You cannot modify the name of an OCSP responder, but you can use theset ssl ocspRespondercommand to change any of the other parameters.

At the command prompt, type the following commands to set the parameters and verify the configuration:

set ssl ocspResponder  [-url ] [-cache ( ENABLED | DISABLED)] [-cacheTimeout ] [-resptimeout ] [ -responderCert  | -trustResponder][-producedAtTimeSkew ][-signingCert ] [-useNonce ( YES | NO )] unbind ssl certKey [] [-ocspResponder ] bind ssl certKey [] [-ocspResponder ] [-priority ] show ssl ocspResponder [] 

Configure OCSP by using the GUI

1. Navigate toTraffic Management>SSL>OCSP Responder, and configure an OCSP responder.
2. Navigate toTraffic Management>SSL>Certificates, select a certificate, and in theActionlist, selectOCSP Bindings.Bind an OCSP responder.
3. Navigate toTraffic Management>Load Balancing>Virtual Servers, open a virtual server, and click in the Certificates section to bind a CA certificate.
4. 可选地,选择OCSP Mandatory.

Note:

The insert client certificate parameter in theadd ssl ocspResponderand theset ssl ocspRespondercommands is no longer valid. That is, the parameter is ignored during configuration.