SRG

SCSIraidGURU’s World

OCSP Stapling

 

 

Requires: 
Requires Apache 2.4.36 & OpenSSL 1.1.1

 

sudo a2enmod file_cache
sudo a2enmod authn_socache
sudo a2enmod socache_shmcb
sudo a2enmod authz_core authz_host access_compat socache_shmcb slotmem_shm socache_dbm

OCSP Stapling requires DNS to resolve ocsp.godaddy.com.   I added /etc/resolver.conf entries for my two Ubuntu 20.04 DNS servers.

 nslookup ocsp.godaddy.com
Server:         192.168.1.xxx
Address:        192.168.1.xxx#53

Non-authoritative answer:
ocsp.godaddy.com        canonical name = ocsp.godaddy.com.akadns.net.
Name:   ocsp.godaddy.com.akadns.net
Address: 192.124.249.36
Name:   ocsp.godaddy.com.akadns.net
Address: 192.124.249.22
Name:   ocsp.godaddy.com.akadns.net
Address: 192.124.249.23
Name:   ocsp.godaddy.com.akadns.net
Address: 192.124.249.24
Name:   ocsp.godaddy.com.akadns.net
Address: 192.124.249.41

Compare dig on internal and external DNS for ocsp.godaddy.com

 dig A +short ocsp.godaddy.com
ocsp.godaddy.com.akadns.net.
192.124.249.22
192.124.249.24
192.124.249.23
192.124.249.36
192.124.249.41

 dig A +short ocsp.godaddy.com @8.8.8.8
ocsp.godaddy.com.akadns.net.
192.124.249.23
192.124.249.41
192.124.249.24
192.124.249.36
192.124.249.22

Final sites-available configuration file

 <IfModule mod_ssl.c>
# OCSP Stapling
SSLCryptoDevice dynamic
SSLStaplingCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_stapling_cache(128000)
SSLSessionCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_scache(512000)

Mutex file:/var/log/apache2/wp.scsiraidguru.com/ ssl-cache
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLPassPhraseDialog builtin

<VirtualHost *:443>
ServerName wp.scsiraidguru.com
ServerAdmin mike.mckenney@scsiraidguru.com
ServerAlias www.scsiraidguru.com scsiraidguru.com
DocumentRoot /var/www/wp.scsiraidguru.com/public_html

SSLEngine On
SSLCertificateFile
SSLCertificateKeyFile
SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt
SSLOpenSSLConfCmd DHParameters “/etc/apache2/ssl/dhparams.pem”
SSLOCSPEnable on
SSLUseStapling on
SSLOCSPResponseMaxAge 900
SSLOCSPResponseTimeSkew 300
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
ErrorLog /var/log/apache2/wp.scsiraidguru.com/error.log
CustomLog /var/log/apache2/wp.scsiraidguru.com/access.log combined

</VirtualHost>

<VirtualHost *:80>
ServerName wp.scsiraidguru.com
ServerAlias www.scsiraidguru.com scsiraidguru.com
Redirect permanent / https://wp.scsiraidguru.com
</VirtualHost>

## Only enable TLS v1.2 and v1.3 and avoid older protocols ##
SSLProtocol -all +TLSv1.3 +TLSv1.2

SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:+HIGH:!MEDIUM:!LOW:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DES:!RC4:!MD5:!RSA:!3DES:!SRP:!DSS:!SHA1:!SHA256:!SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

## Permission for our DocumentRoot ##
<Directory /var/www/wp.scsiraidguru.com/public_html>
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

SSL Labs.com rating for this site

openssl x509 -noout -ocsp_uri -in scsiraidguru.pem
http://ocsp.godaddy.com/

OCSP Stapling

OCSP Stapling is one of the many new features introduced with httpd 2.4. It allows client software using SSL to communicate with your server to efficiently check that your server certificate has not been revoked.

echo QUIT | openssl s_client -connect wp.scsiraidguru.com:443 -status 2> /dev/null | grep -A 17 ‘OCSP response:’ | grep -B 17 ‘Next Update’
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority – G2
Produced At: May 28 14:16:10 2020 GMT
Responses:
Certificate ID:
Hash Algorithm:
Issuer Name Hash:
Issuer Key Hash:
Serial Number:
Cert Status: good
This Update: May 28 14:16:10 2020 GMT
Next Update: May 30 02:16:10 2020 GMT

openssl ocsp -issuer /etc/apache2/ssl/gd_bundle-g2-g1.crt -cert scsiraidguru.pem -text -url http://ocsp.godaddy.com
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash:
Issuer Key Hash:
Serial Number:
Request Extensions:
OCSP Nonce:
0410A0ED312EFB8DC85FDEF658DAB479334D
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority – G2
Produced At: Jun 2 14:18:36 2020 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash:
Issuer Key Hash:
Serial Number:
Cert Status: good
This Update: Jun 2 14:18:36 2020 GMT
Next Update: Jun 4 02:18:36 2020 GMT

Signature Algorithm: sha256WithRSAEncryption

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5892472333911791684 (0x51c6445e37a11844)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority – G2
Validity
Not Before: Sep 17 07:00:00 2019 GMT
Not After : Sep 17 07:00:00 2020 GMT
Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy Inc., CN=Go Daddy Validation Authority – G2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:

Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Subject Key Identifier:

OCSP No Check:

X509v3 CRL Distribution Points:

Full Name:
URI:http://crl.godaddy.com/repository/mastergodaddy2issuing.crl

X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://crl.godaddy.com/repository/

Signature Algorithm: sha256WithRSAEncryption

—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–
WARNING: no nonce in response
Response verify OK
scsiraidguru.pem: good
This Update: Jun 2 14:18:36 2020 GMT
Next Update: Jun 4 02:18:36 2020 GMT
root@ubuntuwpmm:~#

openssl x509 -text -noout -in scsiraidguru.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
96:e3:c1:85:b0:9b:61:2a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Arizona, L = Scottsdale, O = “GoDaddy.com, Inc.”, OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority – G2
Validity
Not Before: May 26 14:09:22 2020 GMT
Not After : Jul 22 13:50:08 2022 GMT
Subject: OU = Domain Control Validated, CN = wp.michaelmckenney.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:

Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:

Full Name:
URI:http://crl.godaddy.com/gdig2s1-1994.crl

X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository/
Policy: 2.23.140.1.2.1

Authority Information Access:
OCSP – URI:http://ocsp.godaddy.com/
CA Issuers – URI:http://certificates.godaddy.com/repository/gdig2.crt

X509v3 Authority Key Identifier:
keyid:

X509v3 Subject Alternative Name:
DNS:wp.michaelmckenney.com, DNS:www.wp.michaelmckenney.com, DNS:virl.scsiraidguru.com, DNS:wp.scsiraidguru.com, DNS:wp.patrickmckenneylandscaping.com
X509v3 Subject Key Identifier:

CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :

Timestamp : May 26 14:09:39.236 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256

Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :

Timestamp : May 26 14:09:39.907 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256

Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
Timestamp : May 26 14:09:40.096 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256

Signature Algorithm: sha256WithRSAEncryption

openssl s_client -connect scsiraidguru.com:443 -showcerts 2>&1 < /dev/null
CONNECTED(00000003)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = “GoDaddy.com, Inc.”, CN = Go Daddy Root Certificate Authority – G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = “GoDaddy.com, Inc.”, OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority – G2
verify return:1
depth=0 OU = Domain Control Validated, CN = wp.michaelmckenney.com
verify return:1

Certificate chain
0 s:OU = Domain Control Validated, CN = wp.michaelmckenney.com
i:C = US, ST = Arizona, L = Scottsdale, O = “GoDaddy.com, Inc.”, OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority – G2
—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–
1 s:C = US, ST = Arizona, L = Scottsdale, O = “GoDaddy.com, Inc.”, OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority – G2
i:C = US, ST = Arizona, L = Scottsdale, O = “GoDaddy.com, Inc.”, CN = Go Daddy Root Certificate Authority – G2
—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–
2 s:C = US, ST = Arizona, L = Scottsdale, O = “GoDaddy.com, Inc.”, CN = Go Daddy Root Certificate Authority – G2
i:C = US, O = “The Go Daddy Group, Inc.”, OU = Go Daddy Class 2 Certification Authority
—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–
3 s:C = US, O = “The Go Daddy Group, Inc.”, OU = Go Daddy Class 2 Certification Authority
i:C = US, O = “The Go Daddy Group, Inc.”, OU = Go Daddy Class 2 Certification Authority
—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–

Server certificate
subject=OU = Domain Control Validated, CN = wp.michaelmckenney.com

issuer=C = US, ST = Arizona, L = Scottsdale, O = “GoDaddy.com, Inc.”, OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority – G2


No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 5817 bytes and written 398 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)


Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
Session-ID-ctx:
Resumption PSK:
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:

Start Time: 1591109810
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
Session-ID-ctx:
Resumption PSK:
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:

Start Time: 1591109810
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK
DONE