IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [ocsp]

Online Certificate Status Protocol (OCSP) is a protocol used for validation (ie revocation status) of X509 certificates in a PKI system as a real-time alternative to CRLs.

OCSP is a method for checking for revoked certificates in a more scalable manner than CRLs, by querying an OCSP responder for the status of a given individual certificate, rather than having to obtain a large CRL.

OCSP is covered by the following RFCs:

More information on OCSP can be found in its Wikipedia article.

72 questions
33
votes
1 answer

How does OCSP stapling work?

I've been looking into OCSP stapling for HTTPS, which looks pretty interesting. From what I can tell, it's essentially a way of offloading CRLs from the CA to the server, allowing for everything to be done in one connection, which mitigates some…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
28
votes
3 answers

Does any technology prevent a CA unilaterally revoking a certificate?

As far as I can tell, a CA is in a position to unilaterally revoke a certificate via the standard mechanisms (CRL, OCSP). In an increasingly TLS world, what current technology stops a CA shutting down a service they don't like?
Phil Lello
  • 1,122
  • 10
  • 15
23
votes
2 answers

SSL/TLS: How to fix "Chain issues: Contains anchor"

I just ran a quick test at ssllabs.com: got A+, which I'm happy about. However there's one thing I don't know how to "fix": My site supports OCSP stapling and ssllabs keeps telling me: Chain issues: Contains anchor. I know this is just a "warning"…
Ben Richard
  • 3,006
  • 5
  • 16
  • 18
17
votes
4 answers

Are SSL certs auto-revoked if their Not-Valid-After date is reached without renewing?

I'm learning about X509 certs used in client-cert authentication to https endpoints. If I have an OCSP checker (Python script that creates, submits, decodes OCSP responses), do I need to check the not-valid-after date on a client…
ericOnline
  • 297
  • 2
  • 6
13
votes
2 answers

What happens when certificates further up the chain expires before mine? (Equifax/GeoTrust)

I just bought a certificate from RapidSSL. Looking up the chain, I found GeoTrust who is signed by Equifax. Then I realized that the ”Equifax Secure Certificate Authority” is due to expire on 2018-08-22 at 16:42 GMT. While my certificate is due to…
Daniel
  • 231
  • 2
  • 7
11
votes
1 answer

Do long lived TLS connections pose a security risk?

I would like to better understand the implications of maintaining a long lived (hours, days) TLS connection with respect to certificate revocation. As I understand TLS, the client verifies the server's certificate during the handshake and then never…
jdgilday
  • 211
  • 1
  • 2
11
votes
1 answer

Did D-Link's certificate revocation really only invalidate 1 day (of a six months long exposure)?

I'm trying to wrap my head around the OCSP revocationTime for D-Link's certificate. I recently answered another question and ended up drafting a timeline. That timeline is basically this: Jul 5 00:00:00 2012 GMT. Validity: Not Before Feb 27 …
StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
9
votes
1 answer

How well do current browsers handle certificate revocation?

I am a Firefox user and recently stumbled upon the Liu, Yabing, et al. "An end-to-end measurement of certificate revocation in the web's PKI." Proceedings of the 2015 Internet Measurement Conference. ACM, 2015 study and after a moment of worry, I…
Cobalt Scales
  • 123
  • 9
7
votes
2 answers

What is the exact difference between regular OCSP and OCSP stapling?

What is the exact difference between the Online Certificate Status Protocol (OCSP) and OCSP stapling, which seems to be "...an alternative approach to the Online Certificate Status Protocol (OCSP)"?
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
6
votes
1 answer

How to simply check if a certificate has the OCSP must-staple attribute?

https://www.rfc-editor.org/rfc/rfc7633 https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/ How can I simple check if a certificate of a website has the OCSP must-staple extension ? For…
Tom
  • 2,063
  • 12
  • 19
5
votes
2 answers

How to configure Browser to detect revoked certificates?

In the context of the Heartbleed bug I would like to make sure that I can detect if someone tries to do a MITM attack with a stolen certificate, which since has been revoked. The problem is that browser either only soft-fail or don't check the CRL…
Roland Schulz
  • 201
  • 2
  • 5
5
votes
2 answers

Is OCSP Request Signing Necessary?

We can directly request OCSP Server for certificate status. Then why is there an option to sign the request? Is it to identify incoming requests or something?
HyperX Pro
  • 77
  • 5
5
votes
1 answer

Does Firefox use OCSP?

And if it does use Online Certificate Status Protocol, is there a way to disable it, so that it uses CRL instead?
leeand00
  • 1,297
  • 1
  • 13
  • 21
4
votes
3 answers

Invalid OCSP signing certificate in OCSP response

I want to open the following page in Firefox, and get an error. https://www.acm.nl/nl/ Secure Connection Failed An error occurred during a connection to www.acm.nl. Invalid OCSP signing certificate in OCSP response. (Error code:…
SPRBRN
  • 7,379
  • 6
  • 33
  • 37
4
votes
3 answers

How are CRLsets more secure?

Google Chrome doesn't do typical CRL/OSCP checks, instead it depends on CRLsets. In simple terms, Google scoops up the CRLs from most CAs, trims them down and delivers the CRLset to the browser via the update mechanism. They claim this is more…
Scott Helme
  • 3,178
  • 3
  • 21
  • 32
1
2 3 4 5