7

If Require Server Name Indication is checked on the binding of an IIS site, OCSP stapling is disabled for the site.

This is easily confirmed by enabling SNI for a site that currently doesn't require it, and checking using https://www.ssllabs.com/ssltest/ or openssl:

openssl s_client -connect foobar.com:443 -servername foobar.com -tls1 -tlsextdebug -status

Does anyone have a workaround for this so that clients of SNI-enabled sites can enjoy the benefits of OCSP stapling?

franzo
  • 223
  • 3
  • 8

2 Answers2

3

According to Microsoft this behavior is disabled by default, because of potential performance issues.

To enable OCSP stapling for SNI and CCS bindings, locate the following registry subkey: "EnableOcspStaplingForSni"=dword:00000001 under Registry path: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]

Powershell snippet:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\" -Name "EnableOcspStaplingForSni" -PropertyType DWord -Value 1

Microsoft reference article, the article concerns windows 2012 server, i have tested this, and it is still relevant for 2016 aswell.

OCSP stapling

Online Certificate Status Protocol (OCSP) stapling enables a web server, such as Internet Information Services (IIS), to provide the current revocation status of a server certificate when it sends the server certificate to a client during the TLS handshake. This feature reduces the load on OCSP servers because the web server can cache the current OCSP status of the server certificate and send it to multiple web clients. Without this feature, each web client would try to retrieve the current OCSP status of the server certificate from the OCSP server. This would generate a high load on that OCSP server.

By default, OCSP support is enabled for IIS websites that have a simple secure (SSL/TLS) binding. However, this support is not enabled by default if the IIS website is using either or both of the following types of secure (SSL/TLS) bindings:

  • Require Server Name Indication

  • Use Centralized Certificate Store

In this case, the server hello response during the TLS handshake won't include an OCSP stapled status by default. This behavior improves performance: The Windows OCSP stapling implementation scales to hundreds of server certificates. Because SNI and CCS enable IIS to scale to thousands of websites that potentially have thousands of server certificates, setting this behavior to be enabled by default may cause performance issues.

Note Enabling this registry key has a potential performance impact.

Jim Wolff
  • 161
  • 3
2

Create a DWORD reg value EnableOcspStaplingForSni under HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel\ and set it to a non-zero value.

chicks
  • 3,639
  • 10
  • 26
  • 36
Andrei
  • 44
  • 2