SecureBlackbox 16: Using OCSP Stapling in the TLS-Enabled Components


OCSP stapling is the procedure of “caching” an OCSP response for the TLS server certificate and sending the response together with the certificate during the TLS handshake. OCSP stapling saves the client from creating a separate connection to the OCSP responder, speeds up the TLS handshake, and reduces load on the OCSP servers. As such, using OCSP stapling is recommended wherever possible.

OCSP stapling is implemented via TLS extensions and a separate OCSP client component.

Server-Side Setup

To make use of OCSP stapling on the server, follow the steps below:

  1. Request an OCSP response for your server-side TLS certificate from the OCSP authority. The response can be obtained using the TElHTTPOCSPClient or TElFileOCSPClient components. The OCSPClient sample included with SecureBlackbox (in the \Samples\PKIBlackbox folder) illustrates how this is done.

  2. Save the obtained OCSP response to the buffer using the TElOCSPResponse.Save method for use in the subsequent procedure. Note that OCSP responses expire in time. The OCSP response is a collection of "single certificate" responses with one or more elements. Each entry in the collection is of the TElOCSPSingleResponse type. The individual entry contains ThisUpdate and NextUpdate properties. The NextUpdate property tells you when the update for this entry will be available. After this time, the current entry will expire and the update will be required.

You use the saved response to setup your TLS server component (most likely it's an instance of the TElSSLServer class) to handle the OnExtensionsReceived event. In the OnExtensionsReceived event handler, you need to do the following:

  1. Check if the PeerExtensions.CertificateStatus.Enabled property is true (PeerExtensions is a property of the TElSSLServer class). If it's not set to true, then the client does not support OCSP stapling. Do not send the OCSP response to such a client, as this might cause the client to crash.
  2. Create an instance of the TElOCSPResponse class.
  3. Use the Load method to load the saved response from the buffer.
  4. Assign the instance of TElOCSPResponse to Extensions.CertificateStatus.OCSPResponse (Extensions is a property of the TElSSLServer class).
  5. Set Extensions.CertificateStatus.StatusType to cstOCSP
  6. Set Extensions.CertificateStatus.Enabled to true.

Client-Side Setup

To use OCSP stapling on the client, follow the steps below:

  1. Before connecting to the server, set the Extensions.CertificateStatus.Enabled property to true (Extensions is a property of the TElSSLClient class and TLS-enabled client classes).

  2. Setup your TLS client component to handle the OnExtensionsReceived event. This also should be done before the client connects to the server.

In the OnExtensionsReceived event handler, you need to do the following:

  1. Check the PeerExtensions.CertificateStatus.Enabled property. If it is false, there was no OCSP response included and the next steps are to be omitted.
  2. Create an instance of TElOCSPResponse and use its Load method to read the response from the PeerExtensions.CertificateStatus.OCSPResponse property (which is a buffer).
  3. Assuming that you use the TElX509CertificateValidator class to validate the server certificate, pass the instance of TElOCSPResponse to the TElX509CertificateValidator.AddKnownOCSPResponses method before calling TElX509CertificateValidator.ValidateForSSL.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.