Online Certificate Status Protocol (OCSP) stapling is a combined performance and security feature that improves the connection speed of an SSL/TLS handshake, by combining two requests into one.
An SSL/TLS handshake involves both sides exchanging acknowledgement messages, the client getting and checking the revocation status of the certificate, performing two-way verification, choosing cryptographic algorithms, and deciding on session keys. Since this process is relatively lengthy, any such optimizations can help boost application performance at scale.
Browsers most commonly use OCSP to grab a certificate's revocation status directly from the certificate authority (CA). This requires a request to check the certificate status, a response sharing that status, and an automatically-scheduled check at a later date.
How does Online Certificate Status Protocol (OCSP) stapling work?
A server that's presenting a certificate gets a signed and time-limited statement from the certificate authority, confirming that the certificate is still valid. When a client connects to the server, it gets both the certificate and signed validity statement (OCSP response). The client doesn’t have to reach out separately to check if the certificate has been revoked. This mechanism enables real-time certificate validation. Here's how it works:
Periodically (between 8 hours and 10 days depending on the certificate authority), the server gets a signed statement of validity from the certificate authority.
A user requests a resource or website at a secure URL that employs HTTP.
An SSL/TLS handshake is initiated between the client and the service.
The web server gives the client both the certificate and OSCP statement to the client during the same exchange.
The client can then decide if the certificate is trustworthy without requiring a separate connection to the certificate authority (CA).
Does HAProxy support Online Certificate Status Protocol (OCSP) stapling?
Yes! HAProxy supports automatic OCSP stapling response updates for configured certificates. To learn more about enabling OCSP stapling in HAProxy, check out our OCSP documentation.
