Question

SSL Labs OCSP Stapling NO. OpenSSL test successful

Posted June 1, 2020 356 views
Apache

I have read the setup on your site for OCSP Stapling. SSL Labs states NO on OCSP Stapling

Ubuntu 20.04
OpenSSL 1.1.1g
Apache2 2.4.43

<VirtualHost *:443>
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
        ServerName wp.scsiraidguru.com
        ServerAdmin mike.mckenney@scsiraidguru.com
        ServerAlias www.scsiraidguru.com scsiraidguru.com
        DocumentRoot /var/www/wp.scsiraidguru.com/public_html

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/96e3c185b09b612a.crt
        SSLCertificateKeyFile /etc/apache2/ssl/5Cert.key
        SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt
        SSLUseStapling on
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ErrorLog /var/log/apache2/wp.scsiraidguru.com/error.log
        CustomLog /var/log/apache2/wp.scsiraidguru.com/access.log combined

</VirtualHost>

<VirtualHost *:80>
    ServerName wp.scsiraidguru.com
    ServerAlias www.scsiraidguru.com scsiraidguru.com
       Redirect permanent / https://wp.scsiraidguru.com
</VirtualHost>

## Only enable TLS v1.2 and v1.3 and avoid older protocols ##
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:+HIGH:!MEDIUM:!LOW:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DES:!RC4:!MD5:!RSA:!3DES:!SRP:!DSS:!SHA1:!SHA256:!SHA384
SSLHonorCipherOrder on
SSLCompression      off
SSLSessionTickets   off

## Permission for our DocumentRoot  ##
<Directory /var/www/wp.scsiraidguru.com/public_html>
        Options Indexes FollowSymLinks
        AllowOverride All
        </Directory>

# OCSP Stapling
SSLStaplingCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_stapling_cache(128000)
SSLSessionCache         shmcb:var/log/apache2/ssl_scache(512000)
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

I am using Godaddy certificates and bundle. Certificate shows OCSP.Godaddy.com

echo QUIT | openssl s_client -connect wp.scsiraidguru.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2
    Produced At: May 31 14:16:36 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: B6080D5F6C6B76EB13E438A5F8660BA85233344E
      Issuer Key Hash: 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE
      Serial Number: 96E3C185B09B612A
    Cert Status: good
    This Update: May 31 14:16:36 2020 GMT
    Next Update: Jun  2 02:16:36 2020 GMT

I have my own Ubuntu 20.04 DNS/DHCP servers. Ping and NSLookup works. No access.log or error.log errors.

Any ideas?

edited by MattIPv4

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Hi @mikemckenney,

While looking at the apache configuration file I noticed the following

        SSLCertificateFile /etc/apache2/ssl/96e3c185b09b612a.crt
        SSLCertificateKeyFile /etc/apache2/ssl/5Cert.key
        SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt

Those are the SSL files given for the domain wp.scsiraidguru.com, are you sure the SSL is properly added there?

Another thing I found is that both wp.scsiraidguru.com and scsiraidguru.com are not loading from your DigitalOcean droplet. At the moment they are pinging from the IP 50.4.203.235. If you want to have them ping from your Droplet with DigitalOcean, update your DNS from your registrar - GoDaddy. Once you point them to your server, everything should start loading properly.

Regards,
KDSys

@KDSys, I read the article Jesin A OCSP from your site

I figured I would ask your community forum. I read that web sites should have OCSP Stapling. So I am trying to get it working fully.

I followed it. It is hosted at my house on my DL 360e Gen8 under VMWare 6U3. I have 7 virtual hosts on the two WordPress servers. Two of them are my family sites, which are over 160 GB each of videos and pictures. I back up to tape to protect them. Fortinet 60E firewall for protection.

DNS is properly configured and resolves from Godaddy. Fortinet 60E Firewall VIP rules allow ports 80,443 traffic to the virtual servers. Web sites resolve and redirect to port 443. Do they need to resolve to port 80 for OCSP to work? I can get the response but it doesn’t write to the log files.

I saw someone posted ocsp.godaddy.com uses port 80. Godaddy is useless for help.

Ubuntu, Apache, and OpenSSL are on the latest version.

I added these files for shmcb.

sudo a2enmod file_cache
sudo a2enmod authn_socache
sudo a2enmod socache_shmcb

My OCSP Stapling notes page

The cache original path was var/log/apache2/ The permissions are www-data:www-data. Every virtual hosts has a subdirectory under it for the access.log and error.log

ErrorLog /var/log/apache2/wp.scsiraidguru.com/error.log
CustomLog /var/log/apache2/wp.scsiraidguru.com/access.log combined

SSLStaplingCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_stapling_cache(128000)
#SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
SSLSessionCache shmcb:var/log/apache2/ssl_scache(512000)

I tried, SSLStaplingCache “shmcb:logs/ssl_stapling(32768)”

This morning I can get a OCSP Response.

echo QUIT | openssl s_client -connect wp.scsiraidguru.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2
    Produced At: Jun  1 14:17:36 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: B6080D5F6C6B76EB13E438A5F8660BA85233344E
      Issuer Key Hash: 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE
      Serial Number: 96E3C185B09B612A
    Cert Status: good
    This Update: Jun  1 14:17:36 2020 GMT
Next Update: Jun  3 02:17:36 2020 GMT
by Jesin A
OCSP stapling is a TLS/SSL extension which aims to improve the performance of SSL negotiation while maintaining visitor privacy. Before going ahead with the configuration, a short brief on how certificate revocation works.
edited by MattIPv4
Submit an Answer