This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Other Technologies Server configuration Nginx website HTTPS optimized OCSP binding
View: 259|Reply: 0

[Web] Nginx website HTTPS optimized OCSP binding

[Copy link]
Posted on 2025-11-4 20:22:40 | | | |
Requirements: The website enables the OCSP function, OCSP stapling is one of the HTTPS optimization solutions, which forwards the OCSP request that was originally required to be initiated by the client in real time to the server, and the Nginx service area obtains the OCSP query results and sends them to the client along with the certificate, so that the client can skip the process of seeking authentication and improve the efficiency of the TLS handshake. HTTPS performance can be improved.

OCSP

OCSP (Online Certificate Status Protocol) is an online query protocol used to verify the legitimacy and validity of certificates, provided by the Digital Certificate Authority (CA). Every time a user accesses a website via HTTPS, the browser uses an OCSP query to verify that the website's certificate is valid.

When OCSP stapling is enabled, OCSP queries are done by the web server, and the web caches the query results to the server. When the client shakes hands with the web server TLS, the web directly responds to the client's OCSP information and certificate for client verification, eliminating the need for the client to send query requests to the CA, which greatly improves the efficiency of the TLS handshake, saves user authentication time, and optimizes HTTPS speed. If you want to improve the efficiency of certificate status verification in HTTPS handshakes and improve website access performance, you can enable OCSP binding.

As shown in the following figure:



Online Certificate Status Protocol (OCSP)

The Online Certificate Status Protocol (OCSP) was created as an alternative to the Certificate Revocation List (CRL) protocol. Both protocols are used to check if an SSL certificate has been revoked.

The CRL protocol requires browsers to download a large number of SSL certificate revocation information: the certificate serial number and the last release date of each certificate. The problem with the CRL protocol is that it can extend the time it takes for SSL negotiations.

The OCSP protocol eliminates the need for browsers to spend time downloading and searching through a list of certificate information. With OCSP, the browser simply issues a query to receive a response from the OCSP responder (the CA's server that specifically listens for and responds to OCSP requests) about the status of the certificate revocation.

OCSP binding

OCSP Stapling can enhance the OCSP protocol by allowing website hosts to be more proactive in improving the client (browsing) experience. OCSP Stapling allows the certificate issuer (i.e., the web server) to query the OCSP responder directly and then cache the response. The response from this secure cache is then passed along with the TLS/SSL handshake through the Certificate Status Request extension, ensuring that the browser gets the same responsive performance when obtaining the certificate state and website content.

OCSP Stapling solves OCSP'sA privacy issuebecause the CA no longer receives revocation requests directly from the client (browser). The browser directly requests a third-party CA (Certificate Authority),Visitors to the website that will be exposed (the CA will know which users are visiting our website)。 OCSP Stapling also addresses OCSP SSL negotiation latency by eliminating the need for a separate network connection to the CA response server.

Check the OCSP binding

Two scenarios are provided to check whether OCSP binding is enabled.

Online website inquiry:The hyperlink login is visible., enter the domain name. As shown below:



OCSP Staple: Good means enabled, Not Enabled means not enabled.

You can also query using the command line via the openssl tool, which is as follows:

OCSP response:no response sentRepresentatives are not enabled
OCSP Response Status:successful (0x0)Representative enabled

As shown below:



Configure OCSP Stapling on the Nginx server

Modify the nginx domain name conf configuration file to add the following to the server node:

Remember to restart the nginx service after the configuration is complete.

Reference:

The hyperlink login is visible.
The hyperlink login is visible.
The hyperlink login is visible.
The hyperlink login is visible.




Previous:Embedded in the enterprise WeChat scanning code login function reportEvent issue
Next:ASP.NET Core (33) File Output Download (Chinese file name)

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com